Physical Protection Program Manual <ORG> SO <SUMMARY> This Manual provides detailed requirements to supplement DOE O 473.1, Physical Protection Program, which establishes policy, requirements, responsibilities, and authorities for the physical protection of safeguards and security interests (e.g., Departmental property and assets on fixed facilities and in transit, including nuclear weapons, special nuclear material, vital equipment, and classified matter). This Manual contains 15 chapters that provide detailed requirements for protection of safeguards and security interests. <DATE_ISSUE> 02/9/2000 <DATE_CLOSE> <TEXT> <h3><b>To comment on this manual, please go to <a href="http://www.revcom.doe.gov">RevCom</a>.</b></h3> PHYSICAL PROTECTION PROGRAM MANUAL 1. PURPOSE. This Department of Energy (DOE) Manual provides detailed requirements to supplement DOE O 473.1, Physical Protection Program, which establishes policy, requirements, responsibilities, and authorities for the physical protection of safeguards and security interests (e.g., Departmental property and assets on fixed facilities and in transit, including nuclear weapons, special nuclear material, vital equipment, and classified matter). This Manual contains 15 chapters that provide detailed requirements for protection of safeguards and security interests. 2. APPLICABILITY. a. DOE Elements. This Manual applies to all DOE elements. b. Contractor. Except as excluded in Paragraph 2c below, this Manual applies to all covered contractors (i.e., any DOE contractor or subcontractor subject to DOE Acquisition Regulation, Part 952.204.2, or other clause requiring protection of classified information, nuclear material, or other sensitive information or activities) subject to the provisions of DOE O 473.1, to the extent implemented under a contract. Contractor requirements are listed in the Contractor Requirements Document (CRD), Attachment 1. The CRD is issued to aid procurement organizations in identifying the provisions of this Manual that are to be applied to DOE contractors, and they will apply to the extent implemented under a contract or other agreement. c. Exclusions. DOE facilities and activities regulated by the Nuclear Regulatory Commission. 3. CANCELLATIONS. DOE M 473.1-1 cancels DOE Manual 5632.1C-1, Manual For The Protection And Control of Safeguards And Security Interests, dated 7-15-94. The provisions of DOE O 6430.1A, General Design Criteria, have been incorporated into this Manual, canceling its security design criteria requirements. Cancellation of an Order or Manual does not, by itself, modify or otherwise affect any contractual obligation to comply with such an Order or Manual. Canceled Orders and Manuals which are incorporated by reference into a contract shall remain in effect until the contract is modified to delete the reference to the requirements in the canceled Order or Manual. 4. REFERENCES AND DEFINITIONS. a. See Attachment 2 for a list of references pertinent to the protection of safeguards and security interests. b. Definitions of terms commonly used in the Safeguards and Security Program are provided in the "Safeguards and Security Glossary of Terms," which is maintained and distributed by the Office of Safeguards and Security. 5. DEVIATIONS. Deviations (i.e., variances, waivers, and exceptions) from the protection requirements prescribed by DOE M 473.1-1 must be processed in accordance with DOE O 470.1, Safeguards And Security Program. The Office of Safeguards and Security deviation program is an approved process that meets the definition in DOE M 251.1-1, Directives System Manual, for exemptions. Deviations to this Manual must provide a 30-day window from receipt by the Department's Office of Safeguards and Security for comments and concurrence as stated in M 251.1-1. 6. ASSISTANCE. Questions concerning this Manual should be directed to the Program Manager, Protection Operations Program, at 301-903-5693. 7. IMPLEMENTATION. Any requirements that cannot be implemented within 6 months of the effective date of this Manual or within existing resources must be documented by heads of field elements and submitted to the program offices and to the Office of Safeguards and Security. CHAPTER I PROTECTION PLANNING 1. PLANNING. The details of site physical protection measures contained in this Manual must be addressed in the site safeguards and security plans (SSSP), as required by DOE O 470.1, SAFEGUARDS AND SECURITY PROGRAM, dated 9-28-95. a. In locations where an SSSP is not required due to the limited scope of safeguards and security interests, a security plan must be developed to describe the protection program. b. The graded physical protection measures provided various safeguards and security interests, including critical infrastructure assets, and DOE property, must be described, justified, and documented in the SSSP or in the security plans. 2. PROTECTION STRATEGY. Protection strategies must be selected, developed, and implemented to protect security interests as required by DOE O 470.1. The primary protection strategies that shall be in place for Category I and II quantities of special nuclear materials (SNM) are denial and containment, depending upon the security interest. Required secondary protection strategies for Category I and II quantities of SNM-that is, recapture, recovery, and pursuit must be developed and in place in the event that the primary protection strategy (denial or containment) fails. Overall site protection strategies shall be planned to incorporate both primary and secondary protection strategies, as needed. a. Strategies. Protection strategies shall be graded to address varying circumstances. (1) Denial Strategy. A denial strategy shall include the capabilities necessary to prevent an adversary from gaining unauthorized access to a security interest. (2) Containment Strategy. A containment strategy must include the capabilities necessary to prevent an adversary from escaping from a site and/or facility with the security interest. (3) Recapture Strategy. A recapture strategy must include the capabilities necessary to locate and/or regain control of a security interest, which that is under unauthorized control while still within the confines of a DOE site/facility. The recapture strategy must ensure that, at a minimum, adversaries are neutralized prior to the completion of established adversary tasks times. (4) Recovery Strategy. A recovery strategy must include the capabilities of locating necessary to locate and/or regain control of a security interest, which that is under unauthorized control, and that has been removed from within the confines of a DOE site/facility. (5) Pursuit Strategy. A pursuit strategy must include the capabilities of giving necessary to give chase for the purpose of regaining control (recovery) of a security interest, that is under unauthorized control and that has been removed from within the confines of a DOE site/facility. b. Strategies for Specific Security Interests. (1) Those DOE facilities that possess, transport, process, and store safeguards and security interests, (for example, Category I quantities of SNM) where unauthorized access presents an unacceptable risk (for example, detonation of a nuclear device, theft of a device, or creation of an improvised nuclear device or nuclear dispersal device) must be protected with a denial strategy designed to prevent unauthorized access to the security interest. (a) The denial strategy must use protection measures (e.g., personnel reliability programs, denial barriers/systems, protective forces, etc.) to ensure that unauthorized access is not achieved. (b) Should the denial strategy fail, an immediate and timely recapture strategy must be in place to ensure that, at a minimum, adversaries are neutralized prior to the completion of established adversary task times. (c) Should the adversary escape with the security interest, robust recovery and pursuit strategies must be implemented. (2) Those DOE facilities that possess, transport, process, and store Category I quantities of SNM where unauthorized access does not present unacceptable risk and/or Category II quantities of SNM, including those quantities that roll- up to Category I, must be protected with a strategy of containment. Should the containment strategy fail, immediate and timely recapture, recovery, and pursuit strategies must be in place. c. Strategies for the physical protection of Categories III and IV quantities of SNM must incorporate the applicable protection requirements established in Chapter II, and; these strategies must be described in the SSSP. d. Strategies for the physical protection of classified matter must incorporate the applicable requirements established in Chapter III of this Manual. The strategy must be based on efforts that will detect or deter unauthorized disclosure, modification, loss of availability, and removal from a site or facility of classified information or sensitive but unclassified information. e. Strategies for the physical protection of any category or quantity of SNM that is considered a radiological/toxicological sabotage targets target must incorporate the applicable requirements established in Chapter IV. Protection strategies must be designed to prevent acts of radiological/toxicological sabotage acts that would pose significant dangers to the health and safety of employees, the public, or the environment. These strategies may be graded to address varying circumstances and may range from denial to containment. f. Strategies for the physical protection of critical infrastructure assets must include the identification of assets and protection. A vulnerability assessment of these assets include must be conducted to identify the threat posed, and the probability of its occurrence. Remedial action plans must be developed to mitigate the effect to critical infrastructure assets by eliminating the vulnerabilities or reducing them to an acceptable level. Existing security interest protection programs must be used where available and must be contained within the minimum of a DOE limited area. g. Strategies for the physical protection of other safeguards and security interests and the protection of DOE property must be developed and implemented in security plans. 3. GRADED PROTECTION. Protection may be applied in a graded manner. a. Layers of Protection. The adequacy of physical security systems is determined by protection strategies designed to ensure that the security interests are protected by ascending layers of protection graded to accommodate the security areas to be protected. b. Graded Protection Requirements. The level of effort and magnitude of resources expended to protect a security interest must be commensurate with the security interest's importance or the effect of its loss, destruction, or misuse. (1) The highest level of protection must be given to security interests whose loss, theft, compromise, sabotage, and/or unauthorized use will have seriously affect national security, and/or impact the health and safety of DOE and contractor employees, the public, and the environment, or the continuity of DOE programs. For example, theft of SNM has severe consequences and therefore requires the highest reasonably attainable level of security. (2) Asset valuation, threat analysis, and vulnerability assessments must be considered, along with the acceptable level of risk and any uncertainties, to determine if the risk is significant and what protection measures should be applied. (3) Protection of other interests must be graded accordingly. Protection -related plans must describe and document the rationale used for selecting the graded protection provided the various safeguards and security interests. 4. PERFORMANCE ASSURANCE. Safeguards and security protection program systems must be tested as required by DOE O 470.1, Chapter III, to ascertain effectiveness in providing countermeasures to address design basis threats. CHAPTER II PROTECTION OF NUCLEAR WEAPONS, SPECIAL NUCLEAR MATERIAL AND VITAL EQUIPMENT 1. GENERAL. This chapter outlines requirements for protecting nuclear weapons and Categories I through IV quantities of SNM. The priority of protection shall be designed to prevent malevolent acts such as theft, and radiological sabotage. a. Protection afforded SNM shall be graded according to the nuclear material safeguards category, as defined in Figure I-2 of DOE M 474.1-1, MANUAL FOR CONTROL AND ACCOUNTABILITY OF NUCLEAR MATERIALS, dated 8-11-99, and must reflect the specific nature of nuclear weapons or SNM existing at each site. (1) DOE O 474.1, CONTROL AND ACCOUNTABILITY OF NUCLEAR MATERIALS, and DOE M 474.1-1, both dated 8/11/99, must be used to determine the potential to accumulate a Category I quantity of SNM by theft from more than one location (roll-up) within the same protected area. (2) Facilities outside a protected area containing Category III and IV Attractiveness l Level B and C SNM must ensure that these areas do not contain a credible roll-up accumulation of Category I or II materials. If a roll- up situation could develop, the materials must be protected at the higher category level. b. A facility may not possess, receive, process, transport, or store nuclear weapons and SNM until that facility has been approved as required by DOE O 470.1. c. Protection of nuclear material production, reactors, and fuel must be consistent with the category of SNM involved and/or the consequences of radiological sabotage. d. An integrated, graded system of positive measures must be developed and implemented to protect Category I SNM, and nuclear weapons and to address physical protection from denial and neutralization, as well as containment recapture/recovery and/or pursuit. e. The following are examples of factors must be considered in determining physical protection for each category of SNM: ease of separability, accessibility, and concealment; quantity, chemical form, isotopic composition, purity, and containment; portability; protection strategies; radioactivity; and self-protecting features. f. SNM that is classified because of its configuration or content, or because it is part of a classified item, must receive the physical protection required by the highest level of classification of the configuration, content, item, or category of SNM involved. g. Specific physical protection requirements, such as systems and protective personnel response capabilities necessary to satisfy identified protection needs, must be documented. 2. ACCESS. Access controls must be in place to ensure that only properly cleared and authorized personnel are permitted unescorted access to SNM. Access authorizations (security clearances) must be granted according to DOE O 472.1B, PERSONNEL SECURITY ACTIVITIES. See Table 1 of this Manual for SNM access authorization requirements. 3. INTRUSION DETECTION SYSTEM. Category I and II quantities of SNM and nuclear weapons must be protected by an integrated physical protection system using response forces and intrusion detection systems (IDS) with tamper-indicating devices. 4. BARRIERS AND DELAY MECHANISMS. Delay mechanisms must be employed to prevent removal or unauthorized use of Category I and II quantities of SNM. Delay mechanisms may include both passive barriers (e.g., walls, ceilings, floors, windows, doors, and security bars) and activated barriers (e.g., sticky foam, pop-up barriers, and cold smoke). 5. PROTECTIVE FORCE POSTS. See DOE 5632.7A, PROTECTIVE FORCE PROGRAM, or DOE O 473.2, PROTECTIVE FORCE PROGRAM, when implemented. Protective force personnel must be available and positioned to respond to a threat so that they can deny, neutralize, contain, and/or interrupt adversaries, or perform recapture/recovery and pursuit missions within the required response times. The response action must be based on the protection strategy specified in the SSSP or site security plan. 6. STORAGE. Each facility must have controls for all categories of nuclear materials held in storage, consistent with the graded safeguards approach required by Chapter XI of this Manual. Controls for storage must: a. be formally documented; b. ensure that only authorized personnel have access to the storage repositories; c. prevent and/or detect unauthorized access; d. describe procedures used to authenticate material movements into or out of a storage location; e. include procedures for investigating and reporting abnormal conditions; f. provide a record system to document ingress/egress to storage; and g. define procedures for conducting inventories and daily administrative checks. 7. CATEGORY I QUANTITIES OF SPECIAL NUCLEAR MATERIAL. The following requirements apply to the storage, use or in process, and the transport of Category I quantities of SNM. a. In-Process. Material must be used or processed within material access areas. Any location within a material access area that contains unattended Category I quantities of SNM in use or process must be equipped with an IDS or other effective means of intrusion detection as approved by the local DOE authority for safeguards and security. Material in use may not be left unattended without being protected according to the open storage protection requirements of this Manual, Chapters III, and XI. b. Storage. Material that is not in use or process must be stored within a material access area as follows. (1) Category I SNM, Attractiveness Level A material must be stored in a vault. Storage facilities for Category I SNM Attractiveness Level A, constructed after 7-14-94 must be constructed underground or below-grade. (2) Category I SNM, Attractiveness Level B material must be stored in a vault or provided enhanced protection that exceeds vault-type room storage [e.g., collocated with protective force response station and/or activated barrier(s)]. (3) Category I SNM, Attractiveness Level C material, must, as a minimum, be stored in a vault-type room. c. In-Transit. The following requirements apply to the protection of material in transit. (1) Domestic off site shipments of Category I quantities of SNM must be made by the Transportation Safeguards System, managed by the DOE Albuquerque Operations Office. (2) Packages or containers containing SNM must be sealed with tamper-indicating devices. (3) To protect against threats, protection measures for movements of material between protected areas at the same site, or between protected areas and staging areas at the same site, must be under direct surveillance by the protective force personnel as established in the "Design Basis Threat for Department of Energy Programs and Facilities (U)," and as documented in the SSSP. Table 1. Access Authorization (Security Clearance) Requirements for Unescorted Access to SNM. Special Nuclear Material Category Type of Access Authorization Required for Unescorted Access Remarks I and II with credible roll-up to I Q Hands-on access or transportation of Category I quantities of SNM may require additional measures, such as Personnel Security Assurance Program participation and/or enhanced material surveillance procedures, to further reduce the probability of insider acts. Document in the SSSP. II and III L Unless special circumstances determined by site vulnerability assessment, require Q access authorization to minimize risk. Document in SSSP. IV None Unless special circumstances determined by site vulnerability assessment, require access authorization to mitigate risk. Document in SSSP. 8. CATEGORY II QUANTITIES OF SPECIAL NUCLEAR MATERIAL. The following requirements apply to storage and use or in process of Category II quantities of SNM. a. In-Process. Material must be used or stored only within a protected area. Any location within a protected area that contains unattended Category II quantities of SNM in use or in process must be equipped with intrusion detection systems IDSs or other effective means of intrusion detection. Material in use may not be left unattended without being protected according to the open storage protection requirements of this Manual, Chapters III, and XI. b. Storage. When not in use or process, material must be stored in a vault or vault-type room located within a protected area. c. In-Transit. Shipments must conform to the shipment requirements for Category I quantities of SNM. (See Paragraph 7c above.) 9. CATEGORY III QUANTITIES OF SPECIAL NUCLEAR MATERIAL. The following requirements apply to storage, use, and transport of Category III quantities of SNM. a. In-Process. Material must be processed within the minimum protection of a limited area. b. Storage. When not in process or when unattended, material must be stored within a limited area and secured within a locked security container or locked room. The container or locked room containing the matter must be under the protection of an IDS or protective patrol as required by Chapter III of this Manual. c. In-Transit. (1) Domestic off site shipments of classified configurations of Category III quantities of SNM may be made by the Transportation Safeguards System. (2) Methods of shipping unclassified configurations. (a) Truck or Train. Truck or train shipments must meet the following requirements. 1 Government-owned or exclusive-use truck, commercial carrier, or rail may be used to ship Category III quantities of SNM. 2 The transport vehicle must be inspected in detail before loading and shipment. Cargo compartments must be locked and sealed while en route. 3 Personnel assigned to escort shipments must periodically communicate with a control station operator who can request appropriate local law enforcement agency response, if needed. 4 Shipments must be made without intermediate stops except for emergency reasons, driver relief, meals, refueling, or transfer of security interests. (b) Air Shipment. Category III quantities of SNM may be shipped by air if not otherwise prohibited by statute or otherwise limited by implementing instructions. Shipments must be under the direct observation of the authorized escorts during all land movements and loading and unloading operations. (3) Movements of Category III quantities of SNM between security areas at the same site must comply with the appropriate locally developed security plan. 10. CATEGORY IV QUANTITIES OF SNM. The following requirements apply to storage and use of Category IV quantities of SNM. a. In-Process. Material must be processed according to locally developed security procedures. b. Storage. When not in process or when unattended, material must be stored according to the procedures approved and implemented in the security plan. c. In-Transit. (1) Domestic off site shipments of classified configurations of Category IV quantities of SNM may be made by the Transportation Safeguards System, under procedures approved by the Albuquerque Operations Office as deemed appropriate, and by agreements between the Manager, Albuquerque Operations Office, and the respective heads of field elements. (2) Shipments of unclassified configurations of material may be made by truck, rail, or water in commercial, for-hire, or leased vehicles. If not otherwise prohibited by state or Federal laws, Category IV quantities of SNM may also be shipped by air. (a) Shipments (except laboratory analysis samples or reference materials) must be arranged with a capability to trace and identify, within 24 hours of request, the precise location where a shipment went astray in the event that it fails to arrive at the destination at the prescribed time. (b) Shippers are required to give the consignee an estimated time of arrival before dispatch, and to follow up with a written confirmation not later than 48 hours after dispatch. (c) Consignees must promptly notify the shipper by telephone and written confirmation upon determination that a shipment has not arrived by the scheduled time. 11. VITAL EQUIPMENT. SSSPs are required to define applicable threats and measures planned to protect vital equipment from hostile actions. CHAPTER III PROTECTION OF CLASSIFIED MATTER 1. GENERAL REQUIREMENTS. a. Classified SNM must be protected in accordance with Chapter II of this Manual if the SNM categories and attractiveness levels dictate more stringent requirements. b. When possible, classified matter shall be processed, handled, or stored in security areas providing control measures equal to or greater than those present in Limited Area. When Top Secret or Secret matter is not processed, handled, and/or stored within Limited Areas or above, it shall be maintained in an accountability system as required in DOE M 471.2-1B, Chapter II. c. All classified matter storage facilities, e.g., GSA approved containers, vaults and vault- type rooms, shall be within facilities, buildings, rooms, structures, etc., and must be afforded the protection measures necessary to prevent unauthorized persons from gaining access to classified matter and materials. d. The physical protection requirements of this Manual must be implemented for all new and existing DOE facilities, buildings, and areas used or to be used to protect DOE security interests. 2. STORAGE REQUIREMENTS. The following physical security storage requirements apply to classified safeguards and security interests. (Items in this chapter may duplicate provisions of DOE M 471.2-1B to provide continuity of protection information. Notify the Office of Safeguards and Security of any conflict in requirements.) a. Restrictions on Use of Secure Storage Repositories. (1) Funds, firearms, medical items, controlled substances, precious metals, or other items susceptible to theft may not be stored in the same secure storage repository used to store classified matter. (2) Secure storage repositories may not bear any external classification or other markings that would indicate the level of classified matter authorized to be stored within the container. For identification purposes, each security container must externally bear a uniquely assigned number. b. Security containers required for the storage of classified matter must conform to General Services Administration (GSA) standards and specifications. Vaults and vault- type rooms required for storage must meet the requirements of Chapter XI of this Manual. Classified matter that is not under the personal control of an authorized person must be stored as prescribed below. NOTE #1: Protective force personnel must examine exposed surfaces of the container, vault, vault-type-room, and steel filing cabinets for evidence of any forced entry and to ensure that the container or door is locked. NOTE #2: The times indicated below may be used when the safeguards and security interest is NOT SNM. If the safeguards and security interest is SNM, response times must be based on the amount of time required to implement the protection strategy (i.e., denial, containment), as specified in Chapters I and II of this Manual. NOTE #3: "Under the protection of intrusion detection alarms" means that the security containers must be protected within the protection envelope of alarm sensors. (1) Top Secret Matter. Top Secret matter must be stored in one of the following ways: NOTE: Top Secret matter not stored in security areas providing control measures equal to or greater than those present in limited areas must be maintained in an accountability system as required in DOE M 471.2-1B. (a) in a locked, GSA-approved security container with one of the following supplemental controls: 1 under intrusion detection alarm protection and protective force response personnel are capable of arriving within 15 minutes of alarm annunciation, 2 protective force personnel perform inspections on a 2-hour basis, or 3 in a security container equipped with a lock meeting Federal Specification FF-L-2740, but only if the container is located in a limited, exclusion, protected, or material access area; (b) in a vault within the minimum of a limited area and approved by the cognizant DOE element. The vault must be equipped with intrusion detection protection and protective force personnel must be capable of responding within 15 minutes of alarm annunciation. The vault shall be located within a limited, exclusion, protected, or material access area; (c) in a vault-type room within the minimum of a limited area and approved by the cognizant DOE element. The vault-type room shall be equipped with intrusion detection protection with protected force response within 15 minutes of alarm annunciation. The vault-type room shall be located within a limited, exclusion, protected, or material access area; (d) In a vault-type room, if located outside a minimum of a Limited, exclusion, protected, or material access area, the vault type room shall be under IDS protection with protective force response arriving within 5 minutes of alarm annunciation. (2) Secret Matter. Secret matter must be stored in a manner authorized for Top Secret matter or in one of the following ways: NOTE: Secret matter not stored in security areas providing control measures equal to or greater than those present in limited areas must be maintained in an accountability system as required in DOE M 471.2-1B. (a) in a locked GSA-approved security container, or vault without supplemental controls; (b) in a vault-type room and approved by the cognizant DOE element; the vault-type room must be equipped with intrusion detection protection and protective force personnel must be capable of responding within 30 minutes of alarm annunciation; the vault-type room must be located within a limited, exclusion, protected, or material access area; (c) in a vault-type room, located outside of a DOE limited or higher security area, and approved by the cognizant DOE element; when located outside of the minimum of a limited area, the vault-type room must be under intrusion detection alarm protection and protective force personnel must be capable of responding within 15 minutes of alarm annunciation; (d) in steel filing cabinets not meeting GSA requirements (such containers purchased and approved for use prior to 7-15-94 may continue to be used until October 1, 2012) that must be equipped with three-position, dial-type, built-in changeable combination locks. The cabinet must be located in a locked area or building within a limited, exclusion, protected, or material access area. In addition, one of the following supplemental controls is required: 1 intrusion detection alarm protection that provides for protective force response within 30 minutes of alarm annunciation when the area is unattended , or 2 the container is inspected every 4 hours by protective force when unattended, or by cleared duty personnel. (3) Confidential Matter. Confidential matter shall be stored in the same manner as prescribed for Top Secret or Secret information except the supplemental controls are not required. c. Nonstandard Methods of Storage. Physical protection storage methods of this chapter apply for Top Secret, Secret, and Confidential matter regardless of size, weight, construction, or other characteristics. When standard protection storage methods cannot be met, a request for alternative, or equivalent storage methods must be submitted for approval to the Office of Primary Interest, SO-21, forwarded through the appropriate field elements and program offices. (1) Measures to be implemented for each nonstandard condition must be documented in the applicable SSSP or security plan after approval by the DOE, Office of Safeguards and Security. (2) minimum measures to be used in place of standard protection requirements must utilize either barriers, intrusion detection, and protective personnel, or a combination of those protective means. (3) For protective force to be employed as a specified supplemental protection measure, due consideration should be given to ensuring the interval for those inspections is less than the time required for an adversary to gain undetected access to the classified matter and/or remove the classified matter and escape detection. d. Protective Force Personnel. Protective personnel, private security firms, or local law enforcement personnel must respond to intrusion detection alarms as specified in Paragraph 2b of this chapter. Specific details regarding this response (e.g., numbers of protective personnel responding, response positions, duties, etc.) must be documented in approved security plans. e. Alternative Storage Locations. (1) With prior written approval of the cognizant DOE element, a bank safe deposit box/vault may be used to store Secret or Confidential matter, provided that the lock and keys to the box/vault are changed prior to such use and the customer's key is furnished only to persons authorized access to the contents. (2) Federal Records Centers, approved as outlined in DOE O 470.1, may be used to store classified information. CHAPTER IV RADIOLOGICAL AND TOXICOLOGICAL SABOTAGE PROTECTION 1.0 GENERAL REQUIREMENTS. The radiological sabotage protection must comply with the physical protection requirements of Chapter II of this Manual if the SNM categories and attractiveness levels dictate more stringent requirements; otherwise, the provisions of this chapter apply. Protection of radiological and toxicological targets must be provided in a graded manner to be consistent with the level of hazards present. The SSSP and security protection strategies shall must address responses to radiological and toxicological sabotage, including mitigation of possible events. These plans must be coordinated and integrated into the site's Emergency Management functions. CHAPTER V SECURITY AREAS 1. GENERAL REQUIREMENTS. DOE security areas are designated in ascending order as property protection areas, limited areas, exclusion areas, protected areas, vital areas, and material access areas. The cognizant DOE safeguards and security authority approves the applicability of security requirements for property protection areas. The following requirements apply to all security areas except property protection areas. a. Access is controlled to limit entry to appropriately cleared and/or authorized individuals. (1) Any person permitted to enter a security area who does not possess an access authorization at the appropriate level and a DOE security badge, must be escorted at all times by a cleared and knowledgeable individual. (2) Local authorities must establish escort-to-visitor ratios in a graded manner for each security areas. b. Entrance/exit inspections of personnel, hand-carried items, packages and mail, and/or vehicles must provide assurance that prohibited articles are not introduced into security areas and that safeguards and security interests are not removed from the area without authorization. (1) Inspections. Entrance/exit inspections at entry control portals, as required, must be made by protective personnel or with detection equipment designed to detect prohibited articles. [See Subparagraph 1b(2) below.] Inspection procedures, requirements, and frequencies must be developed based on a graded approach and included in the appropriate security plan. (2) Prohibited Articles. The Department considers the following articles to be prohibited: all explosives or other dangerous weapons; all alcoholic beverages; all instruments, or material likely to produce substantial injury to persons or damage to persons or property; all controlled substances (e.g., illegal drugs and associated paraphernalia, but not prescription medicine); and any other items prohibited by law (Reference: Title 10 CFR Part 860, and Title 41 CFR Part 101-19.3.). The local cognizant DOE approving authority for safeguards and security may authorize the introduction of those articles when used to conduct official Government business. (3) Controlled Articles. The following articles are not permitted in a limited, exclusion, protected, or material access area without prior authorization, and; prohibition of these articles must also be documented in a local security plan by the cognizant DOE authority for safeguards and security: (a) recording equipment (audio, video, optical, or data); (b) electronic equipment with a data exchange port capable of being connected to automated information system equipment; (c) cellular telephones; (d) radio frequency transmitting equipment; and (e) computers and associated media. c. Concentric Security Area Entry/Exit Inspections. When a security area is contained entirely within a larger security area, additional entry/exit inspections are not required at the inner security area perimeter if inspections conducted at the outer security area boundary are at the same level as required for the inner security area boundary. (1) Entry and exit inspections must be conducted at material access area boundaries regardless of outer boundary inspections. (2) To be designated as a concentric security area, the area must have a separate and distinct barrier(s) and access portal(s) from any other designated security area, (e.g., the boundary for a protected area and the boundary for a material access area cannot employ the same barrier at any location. d. Critical infrastructure assets must be provided the minimum concentric security area protection of a limited area. Based on the concept of graded protection, critical infrastructure assets may be provided the protection of protective personnel, access controls, and intrusion detection alarms and assessment based on the local vulnerability assessment. e. Emergency personnel and vehicles may be authorized immediate entry to security areas in response to an emergency. Conditions and procedures for immediate entry must be documented in the SSSP or security plan. Personnel and vehicles are subject to exit inspections when the emergency is over. f. Signs must be posted to convey information on the Atomic Weapons and Special Nuclear Rewards Act; prohibited articles; the inspection of vehicles, packages, or persons either entering or exiting; notification of video surveillance equipment; and trespassing, if applicable. Signs prohibiting trespassing must be posted around the perimeter and at each entrance to a security area except when unless one security area is located within a larger posted security area. See Chapter XIV for further details. g. Parking areas must be exterior to, and be located at least 15 feet away from, the outer barrier of the DOE security area clear zones that are equivalent to or more restrictive than limited areas. Furthermore, parking areas must be located with a minimum stand- off distance of 50 feet from buildings within a limited area, and 75 feet from buildings located within a protected area, or as determined for the vital area and as documented in the SSSP. (1) Parking areas located near security areas must address possible interference with intrusion detection sensor fields, as well as clear zones, Special Response Team (SRT) activities, and the design basis threat. (2) The explosive threat must be considered in assessments of vehicle parking and drive areas. h. Visitor logs must be used at protected areas, material access areas, and exclusion areas. (1) Requirements and procedures for visitor logs at security areas must be developed and approved by the cognizant local DOE authority for safeguards and security. These procedures must provide for recording information required for DOE F 1240.1, "Foreign Visitors Security Register," and DOE F 5630.6, "Visitors Security Register." (2) Automated access control system logs may be used to record visitor information when implemented in the SSSP/security plans. Information from visitor registers and logs must be retained in accordance with local records management procedures. 2. SECURITY AREA BARRIERS. Permanent physical boundaries must be used to enclose security areas except during construction or transient activities, when temporary barriers can be erected. a. Physical barriers, such as fences, walls, and doors, must be used to identify the boundary of a security area. Barriers must meet the following requirements, as well as the requirements defined in Chapter X of this Manual. (1) Barriers must be used to direct the flow of personnel and vehicles through designated entry control portals. (2) Barriers must be capable of controlling, impeding, or denying access to a security area. (3) Barriers must be used to deter the introduction of prohibited articles or the removal of safeguards and security interests. (4) Barriers must be used to deter and/or prevent penetration by motorized vehicles where vehicular access could significantly enhance the likelihood of a successful malevolent act. (5) Physical barriers may be used to protect critical infrastructure assets, Government property and facilities. (6) Alarms are required for all unattended openings in barriers, gates and/or portals, and culverts and sewers where the unattended openings meet the following criteria: (a) the opening is larger than 96 square inches (619.20 square centimeters) in area and larger than 6 inches (15.24 centimeters) in the smallest dimension; and (b) the opening is located within 18 feet (5.48 meters) of the ground, roof, or ledge of a lower security area; or (c) the opening is located within 14 feet (4.26 meters) diagonally or directly opposite windows, fire escapes, roofs, or other openings in uncontrolled adjacent buildings; or (d) the opening is located within 6 feet (1.83 meters) of other uncontrolled openings in the same barrier. (7) Objects may not be placed next to barriers because they could be used by intruders to scale the barriers and enter the area. b. Penetrations of Security Barriers or Security Areas. Protection features at each barrier penetration must provide the same degree of penetration resistance as the barrier itself. If a penetration cannot be closed off with the same degree of penetration resistance, an IDS must be used. (1) Overhead utilities may not pass between a security area and a lower security area without physical protection features to prevent access. In addition, utility equipment and supports may not be located in clear zones or security areas that are equivalent to or more restrictive than protected areas. Locating equipment and supports in these areas may provide cover or otherwise aid individuals illegally crossing security boundaries. (2) Any elevator that penetrates a security barrier must be provided with access control systems with security equivalent to that of the barrier penetrated. (3) The use of cable trays must be considered for large, multiple-cable applications in both interior and exterior locations. (4) Utility corridors that penetrate security barriers must provide the same degree of penetration resistance as that provided by each barrier they penetrate. This provision applies when the unattended opening within the utility corridor meets the unattended opening requirements of Paragraph 2a(6) above. 3. PROPERTY PROTECTION AREA. A property protection area is a security area established to protect Government-owned property against damage, destruction, or theft and to control public access. Measures taken must be adequate to give reasonable assurance of protection and may include physical barriers, access control systems, protective personnel, IDSs, and locks and keys. a. Access controls may be implemented to protect DOE property and facilities. When access to a property protection area is controlled by an unattended automated access control system, the system must verify the validity of the DOE standard badge. b. DOE personnel and contractors must wear their DOE security badges in plain view while on DOE property, or leased areas, including Property Protection Areas, unless specifically exempted by local DOE Security Office approved procedures. c. Signs prohibiting trespassing, where necessary, must be posted around the perimeter and at each entrance to the property protection area in accordance with Title 10 CFR Part 860, Trespassing on Administration Property, and Title 41 CFR Part 101-19.3, Federal Property Management Regulation. See Chapter XIV. d. Personnel, vehicles, and hand-carried items entering or exiting the property protection area are subject to inspection to deter and/or detect unauthorized introduction of prohibited articles and removal of Government assets. e. Property protection area security measures must be approved by the cognizant DOE safeguards and security approving authority. Property protection area security measures must be developed to protect Government-owned property against damage, destruction, and/or theft. These protective measures must be implemented in the SSSP, or security plan. 4. LIMITED AREA. A limited area is a security area designated for the protection of classified matter and/or Category III or lower quantities of SNM and critical infrastructure assets. a. General Requirements. Limited areas are defined by physical barriers encompassing the designated space, access controls to provide assurance that only authorized personnel are allowed to enter and exit the area, and random entrance/exit inspections, and other means to detect unauthorized access. Limited area access requirements must be administered as follows. (1) Individuals permitted unescorted access have require access authorization and need-to-know consistent with the matter under protection within the area. (2) Individuals without appropriate access authorization or need-to-know must be escorted, and measures must be taken to prevent compromise of classified matter. (3) Access to safeguards and security interests and critical infrastructure assets within a limited area, when not in approved storage, must be controlled by the custodian(s) or authorized user(s). (4) Limited area "islands" not included in an otherwise larger geographic site limited area, (i.e., off-site office space in commercial or Federal buildings) must meet the following requirements. (a) Limited area islands, such as office space accessed by keys or combination locks, that store Secret matter or below, and that otherwise meet the classified matter storage requirements of Chapter III of this Manual, may be subject to access control requirements as approved by the local cognizant DOE safeguards and security approving authority. (b) Access to these limited area islands must be controlled and portals limited. Barriers must be in place to prevent further access to exclusion areas or other higher-level security areas, and to all SNM. (5) Entrance inspections of personnel, vehicles, and hand-carried items must be conducted to deter and detect unauthorized introduction of prohibited and controlled articles. (6) Exit inspections of personnel, vehicles, and hand-carried items must be conducted to deter and detect the unauthorized removal of classified matter and Government property. b. Personnel and Vehicle Access Control. The identity and access authorization of persons allowed access must be validated by protective personnel (e.g., protective force or other appropriately authorized personnel) and/or by automated systems, or other means documented in the security plan. Such validations must occur at the entrances to limited areas. Additional access control requirements are as follows. (1) All non-government vehicles are prohibited from limited areas unless specifically authorized by the local DOE approving authority, and as documented in the SSSP. (2) Government-owned or Government-leased vehicles may be admitted to limited areas only for official business and only when operated by properly cleared and authorized drivers, or when the drivers are escorted by properly cleared and authorized personnel. Local safeguards and security authorities must implement procedures for search and access of service and delivery vehicles on official business; however, escort by properly cleared and authorized personnel is required. Entry of service and delivery vehicles may not enter limited areas more often than necessary to continue efficient operations. (3) Automated access control systems must be used to verify the following: valid DOE standard badge (i.e., validity of the badge is matched between the badge serial number read by the system and matches the serial number assigned to the badge holder), valid access authorization, and valid personal identification number (PIN). Protective personnel, or other means documented in the security plan, may be used to validate the badge and access authorization at automated access control points. 5. EXCLUSION AREA. An exclusion area is a security area where an individual's mere presence results in access to classified matter. An exclusion area must meet the minimum protection requirements for a limited area, and may be designated for protected areas and material access areas. a. General Requirements. The boundaries of an exclusion area must be identified by barriers that encompass the designated space. Exclusion areas also require access controls and entrance/exit inspections to provide reasonable assurance that only authorized personnel are allowed to enter and exit the area. When the exclusion area is designated as a protected area or materials access area, protection provisions must meet the minimum requirements for the security area designated. Exclusion area requirements must be administered as follows. (1) Individuals permitted unescorted access must have access authorizations and need-to-know consistent with the matter to which they would have access by mere virtue of their presence in the area. (2) Individuals without appropriate access authorization and need-to-know, must be escorted, and measures must be taken to prevent compromise of classified matter while the individuals are in the area. (3) An unattended exclusion area must be protected by protective force personnel and by IDSs as required by Chapter III of this Manual. Exclusion areas protecting SNM must provide protection as specified in Chapter II of this Manual. b. Personnel and Vehicle Access Control. Validation by protective personnel and/or automated systems must be used at entrances to validate the identity and access authorization of persons allowed access. All access restrictions for personnel and vehicle access control that apply to limited areas also apply to exclusion areas. 6. PROTECTED AREA. A protected area is a security area used to protect Category II quantities of SNM and/or to provide a concentric security zone surrounding separately defined material access areas. a. General Requirements. A protected area must be: (1) encompassed by physical barriers identifying its boundaries, (2) surrounded by perimeter intrusion detection and assessment systems; and, (3) equipped with access controls to provide assurance that only authorized personnel are allowed to enter and exit the area. b. Protected Area Barriers. Protected area boundaries must be designed to detect/deter an outside attack. The design must also allow for appropriate personnel, vehicle, and materials/packages portals, while deterring or preventing an insider from passing material over the barrier for later retrieval. Proximity to buildings or overhanging structures must be considered in barrier design. (1) The attempted removal of safeguards and security interests by an insider must also be a design consideration for site/facility boundaries. (2) Protected area portal systems must allow for the passage of personnel while detecting the presence of SNM and other prohibited items. While material control and accountability concerns generally relate to insiders removing SNM from the area, physical security concerns at portals must also include procedures and equipment to detect explosives or weapons being brought in by any means. Portal design must include separate package inspection stations so that packages can be inspected separately. The following applies provisions apply to the design of portals. (a) Portal monitors must be installed so that items cannot be passed around the portal without being detected. (b) Portal monitors must be co-located with protective force posts so that adequate response to an alarm is initiated. Protective force stations must be designed with an unobstructed view so that protective force personnel can observe any attempt to bypass systems. c. The following requirements apply to protected area access. (1) Entrance inspections of personnel, vehicles, and hand-carried items must be conducted to deter and detect unauthorized prohibited and controlled articles. (2) Exit inspections of personnel, vehicles, and hand-carried items must be conducted to deter and detect the unauthorized removal of SNM. Specific inspection procedures for SNM and metal detectors shall be established and documented with limitations and thresholds. If the protected area encompasses a material access area, but no Category II or greater quantity of SNM is contained outside the material access area, no SNM exit inspection is required. (a) At all protected-area non-emergency exit points, each vehicle, person, package, and container must be physically or electronically inspected. (b) Exit inspection procedures and detection thresholds for SNM and shielding must be established consistent with the material type, form, quantity, attractiveness level, size, configuration, portability, and credible diversion amounts of SNM contained within the area. (c) Exit inspections must be capable of detecting shielded SNM (e.g., by using a combination of SNM and metal detectors). (d) Procedures must ensure that portals without the means to detect SNM are not used except in emergencies. (3) Exits/entrances must either be alarmed with intrusion detection sensors or controlled at all times. (4) Protected areas must be encompassed by perimeter intrusion detection and assessment systems (PIDASs). The PIDAS must be monitored in continuously manned CASs and SASs. (5) Protective force response time to an intrusion detection must be less than the delay time that can be demonstrated from alarm activation until intruders could complete adverse actions. d. Personnel and Vehicle Access Control. Validation of the identity and access authorization of persons authorized access must be administered by armed protective force personnel and/or by means of an automated access control system. The following access control requirements apply. (1) Private vehicles must be prohibited from a protected area. (2) Government-owned or Government-leased vehicles may be admitted only when on official business and only when operated by properly cleared and authorized drivers, or when drivers are escorted by properly cleared, authorized personnel. Service and delivery vehicles may not enter limited areas more often than necessary to continue efficient operations. (3) Where access to a protected area is controlled by an unattended automated access control system, the system must verify the following: valid DOE standard badge (i.e., the badge serial number read by the system matches the serial number assigned to the badge holder), valid access authorization, and valid PIN. Protective personnel, or other means documented in the security plan, may be used to validate the badge and access authorization at automated access control points. 7. MATERIAL ACCESS AREA. A material access area is a security area used to protect Category I quantities of SNM or Category II quantities of SNM with credible roll-up to a Category I quantity. a. General Requirements. The material access area must have defined boundaries that provide sufficient delay time to impede, control, or deter unauthorized access. (1) A material access area must be located within a separate and distinct protected area. (2) A material access area boundary must deter or detect the unauthorized movement of material through it while allowing access by authorized personnel, access and authorized material movement through authorized portals, and emergency evacuation as necessary. Doors at such transfer locations must be fitted with alarms with the means to communicate with the CAS. (3) Protective force response time to an intrusion detection must be less than the delay time that can be demonstrated from alarm activation until intruders could complete adverse actions. (4) Penetrations in the floor, walls, or ceiling for piping, heating, venting, air conditioning, or other support systems must not create accessible paths that could facilitate the removal of safeguards and security interests. (5) Exits designed for emergency evacuation must be alarmed with intrusion detection sensors or controlled at all times. b. Entry/Exit Inspections. Inspections must provide assurance against the unauthorized introduction of prohibited articles or removal of SNM by force, stealth, or deceit. (1) Entrance inspections of personnel, vehicles, and hand-carried items must be conducted to deter and detect the unauthorized introduction of prohibited articles and controlled substances. (2) Exit inspections of personnel, vehicles, and hand-carried items must be conducted to deter and detect the unauthorized removal of SNM. Specific inspection procedures and SNM/metal detection thresholds and limitations must be established and documented. (a) A separate physical or electronic inspection of each vehicle, person, package, and container must be conducted at all non-emergency exit points for material access areas that contain Category I quantities of SNM (or Category II quantities with credible roll-up to a Category I quantity SNM). (b) Exit inspection procedures and detection thresholds for SNM and shielding must be established consistent with the material type, form, quantity, attractiveness level, size, configuration, portability, and credible diversion amounts of SNM contained within the area. (c) Exit inspections must be capable of detecting shielded SNM (e.g., by using a combination of SNM and metal detectors). (d) Procedures must ensure that portals have the means to detect SNM. c. Personnel and Vehicle Access Control. The identity, access authorization, and authority to enter for persons allowed access must be validated at material access area entrances. Access control must be administered by armed protective force personnel and/or automated access control systems. (1) Private vehicles be are excluded from a material access area. (2) Government-owned or Government-leased vehicles are admitted to material access areas only when on official business. Drivers must have the proper access authorization or be escorted by authorized personnel with the proper access authorization. (3) Exit inspection procedures and detection thresholds for SNM and shielding must be established consistent with the material type, form, quantity, attractiveness level, size, configuration, portability, and credible diversion amounts of SNM contained within the area. (4) Where access to a material access area is controlled by an unattended automated access control system, the system must verify the following: valid DOE standard badge (i.e., the badge serial number read by the system matches the serial number assigned to the badge holder), valid access authorization, valid biometric template. and valid PIN. Protective personnel, or other means documented in the security plan, may be used to validate the badge and access authorization at automated access control points. (5) Although material control and accountability concerns generally relate to insiders removing SNM, physical security concerns at portals include the detection of explosives and weapons being brought in. In addition, equipment/package portals are sometimes designed so that protective personnel can monitor tools and packages separately from personnel. SNM portal monitors must be distanced or otherwise shielded from nuclear materials in the process area. This applies not only to locations of static storage, but also to passageways or conveyer systems that allow the passage of SNM within the facility. 8. VITAL AREA. A vital area is a security area used to protect vital equipment. a. In addition to protection strategies used at a protected area, the following requirements must be met. (1) Area boundaries must conform to the layered protection concept, with a separate vital area perimeter located within a separate and distinct protected area. (2) The perimeter of each vital area must be monitored to deter and detect unauthorized entry attempts. (3) Vital equipment must be protected with an IDS. (4) Exits must be alarmed or controlled at all times. (5) Protective force response time to an intrusion detection must be less than the delay time that can be demonstrated from alarm activation until intruders could complete adverse actions. b. Personnel and Vehicle Access Control. Procedures must be established requiring validation of the identity and access authorization of persons authorized access; validation must be administered by protective personnel or an automated access control system. Access control requirements must be as follows. (1) Private vehicles are prohibited from vital areas. (2) Government-owned or Government-leased vehicles may be admitted only when on official business and only when operated by properly cleared and authorized drivers, or when escorted by properly cleared and authorized personnel. (3) Where access to a vital area is controlled by an automated access control system, the system must verify the following: valid DOE standard badge (i.e., the badge serial number read by the system matches the serial number assigned to the badge holder), valid access authorization, and valid PIN. Protective personnel, or other means documented in the security plan, may be used to validate the badge and access authorization at automated access control points. 9. OTHER DESIGNATED SECURITY AREA REQUIREMENTS. Other areas with restricted access requirements in addition to those limited access to the security area include secure communications centers, sensitive compartmented information facilities, central alarm stations, secondary alarm stations, local law enforcement agency or private alarm stations, and automated information system centers. The requirements for other designated security areas are as follows. a. Alarm Systems. A central alarm system (CAS) and secondary alarm station (SAS) must be used to protect Category I and II quantities of SNM as required by Chapter VI of this Manual. b. Sensitive Compartmented Information Facilities. DOE follows the requirements in Director of Central Intelligence Directive 1/21 for the construction of Sensitive Compartmented Information Facilities. c. Local Law Enforcement Agency or Private Alarm Station. If response by local law enforcement agency/protective personnel to alarm activity is required, the response must meet the specifications for Grade AA as contained in Underwriters Laboratories Standard 611, "Central-Station Burglar-Alarm Systems." d. Secure Communications Centers and Automated Information System Centers. (1) Centers handling classified messages or information must be located, as a minimum, within a limited area. (2) Separate access controls and barriers must be established to restrict admittance to persons employed therein or requiring access to perform their official duties. (3) Access authorizations, consistent with the highest level and category of classified information handled, be are required for all persons assigned to or having any unescorted access to these centers. A list of persons authorized such access must be maintained within the center, and a record of all visitors entering the facility must be maintained. CHAPTER VI ALARM MANAGEMENT AND CONTROL SYSTEM 1. GENERAL REQUIREMENTS. This chapter outlines requirements for integrated security systems protecting Category I and II quantities of SNM, and quantities of SNM that presents a credible roll-up to a Category I quantity of SNM, Top Secret matter, and other high- consequence assets as designated. All alarms used to protect Category I and II quantities of SNM, including roll-up to Category I or II, must annunciate directly to the central and secondary alarm stations in real-time. The protection systems afforded DOE safeguards and security must provide integrated hardware and software working as a whole to provide timely data communications and command and control of security input and output. The integrated protection systems must be operated from one central and one secondary location. a. Alarm stations provide monitoring of alarms and assessment for the Perimeter Intrusion Detection and Assessment System (PIDAS) and must provide a means to monitor alarms and provide assessment and responses to control security incidents. (1) A CAS and SAS must be used to monitor the security, access control, and assessment systems for protecting all Category I and II quantities of SNM, quantities of SNM that present a credible roll-up to a Category I quantity of SNM, Top Secret matter, and other high-consequence assets. (2) Both the CAS and the SAS must be attended constantly by appropriately trained security personnel who possess access authorizations commensurate with the highest level of SNM that is under protection. (3) Both the CAS and the SAS must be capable of providing effective control and response to safeguards and security incidents. (4) The CAS must be located within the minimum of a limited area. (5) Every CAS, including communications and computer areas constructed after the date of this Order, must be protected from compromising emanations. (6) Alarms for protecting Category I and II quantities of SNM, and quantities of SNM that present a credible roll-up to Category I or Category II quantities of SNM, and Top Secret matter must be distinguished at the CAS/SAS from alarms protecting other security interests. Annunciation of these alarms take priority over the alarms for other security interests. (7) Alarm station activities not related to automated access control, protective force communications, and the monitoring and assessment of alarms must be kept to a minimum. (8) General human factors. Security work areas and alarm stations must be ergonomically designed. (a) Equipment, including control panels, work tables and counters, enclosures, seating, storage, special clothing, and any other equipment designed for an operator, must be ergonomically designed to accommodate human body dimensions. (b) Personnel equipment must be designed to accommodate a wide variety of body dimensions. Equipment dimensions must accommodate the fifth to ninety-fifth percentile of the user population. b. Architectural. Safeguards and security CAS and SAS architectural requirements are as follows. (1) Exterior walls must be windowless, and roofs must be without skylights and roof windows. CASs that require windows for visual surveillance of areas outside the station must be fitted with bullet-resistant glass [Underwriters Laboratories (UL)-752, High Powered Rifle]. (2) Personnel entryways must be fitted with substantially constructed doors, equipped with locks operable from within the centers. (3) Structural openings must be kept to a minimum. (4) Central and secondary alarm stations must be designed with substantial walls, ceilings, and floors to for protect security personnel and communications equipment to a minimum of UL-752 standards for High Powered Rifle protection. Structural integrity must be sufficient to protect against unauthorized personnel intrusion. (5) CASs must have access control systems and barriers to restrict admittance to persons who are employed therein or who require access to perform official duties on a need-to-know basis. (6) CASs (and protective force communications center) must be equipped with radio and telephone channels for communication with local law enforcement agencies. (a) An alternative communications capability from an SAS must be provided for use if the primary station is compromised. (b) Radio communications equipment must remain operable if primary electric power is lost. (7) When vulnerability analyses show significantly elevated risk to Category I quantities of SNM due to Chemical Biological Warefare attack on a CAS(s), a means must be employed to protect the CAS operators. These protective measures may incorporate building filtration systems, personal protective devices, or incapacitating agent detectors. Where building filtration systems are employed, heating, ventilation, and air conditioning systems must be designed with air filtration features to protect against infiltration of aerosol and gas incapacitating agents. 2. CENTRAL AND SECONDARY ALARM STATION OPERATIONS. CASs and SASs must be designed to include all computers, file servers, CCTV switcher systems, alarm data communications, protective force communications, and auxiliary power equipment necessary for continuous operation of the system. Such equipment must be located within the station or within contiguous areas having the same degree of physical security and access control. a. The site's CAS must (1) be the primary point of intrusion detection alarm annunciation, assessment, and system monitoring, (2) provide the primary monitoring and alarm annunciation point for automated access control systems associated with protection of Category I and II quantities of SNM, (3) provide for the primary protective force communications point for alarm assessment and responses, (4) provide the primary central monitoring point for CCTV when CCTV is used for assessment, (5) provide the termination point of alarm data collection and communication, and (6) provide for maintenance and storage of spare units of line supervisory and alarm equipment within the station. b. CAS/SAS alarms must (1) annunciate directly in the CAS/SAS in real-time and annunciate in both the CAS/SAS simultaneously. (2) annunciate both audibly and visually in both the CAS and the SAS, (3) be acknowledged by straightforward and easily performed actions, (4) address alarm priorities for the reporting and acknowledgment of a multiple alarm scenario to ensure system credibility/reliability is not diminished, (5) have status indicators provided in the alarm station(s) to reveal system status changes, (6) indicate on the alarm station status indications, including the loss of primary power, which must not degrade the system, and (7) have a method to call the alarm station operators' attention to the CCTV monitor displaying an alarm point activation, when the alarm control monitoring system is integrated with a CCTV assessment system as primary assessment. c. The CAS must meet the construction requirements of a hardened post; and, the CAS must be located as a minimum within a limited area. (1) Exterior walls, windows, roofs/floors, and doors must be constructed of reinforced concrete or be reinforced with materials that result in a bullet- penetration resistance equivalent to the "high-powered rifle rating" given in UL- 752. (2) The CAS must provide adequate human engineering so that protective personnel occupying the posts can perform their duties efficiently. (3) The CAS must provide occupants with adequate protection from weather and temperature variations. d. The CAS must be designated an exclusion area. Access controls must be used to restrict admittance to only those persons who require access to perform official duties. e. Secondary Alarm Stations. The SAS is an alternative alarm annunciation point that will initiate a response if the CAS cannot perform its intended function. Secondary alarm stations need not duplicate the CAS, but must meet the operational requirements of the CAS with the exception of construction and located within a limited area. 3. IDS MONITORING FUNCTIONAL REQUIREMENTS. The following general provisions are required for an integrated PIDAS designed to protect Category I and II quantities of SNM, quantities of SNM that present a credible roll-up to Category I and II, Top Secret matter, and other high-consequence assets. a. The protection system must (1) have a timely capability for display and assessment of intrusion that accurately displays the correct functional state of every subsystem; (2) annunciate system status changes in the alarm station(s), including system component failure, loss of primary power, and radio frequency (RF) systems alarms; (3) ensure that all intrusion detection, system status, tamper, and line supervision alarms annunciate, directly and simultaneously in both the CAS and the SAS when protecting Category I and II quantities of SNM, quantities of SNM that present a credible roll-up to Category I or II, and Top Secret matter, or other high-consequence assets. b. Alarm functions must be prioritized so that those functions requiring immediate response (e.g., alarms protecting Category I and II quantities of SNM) have the highest priority. Background functions may not interfere with monitoring personnel's ability to initiate the appropriate responses. c. Records must be kept on each actual and/or false/nuisance alarm. (1) The alarm record must be reviewed, analysis performed, and corrective measures taken as applicable to ensure system effectiveness and minimize nuisance and false alarms. (2) The minimum record requirements are date and time of alarm, cause of the alarm or probable cause if definite cause cannot be established, and the name of the recorder or the operator on duty. (3) For systems installed after the date of this Manual, records must also include type of alarm [e.g., actual (with identifying data), false, nuisance, or tamper]; location of alarm; time of assessment; and name of assessor. d. The alarm record must be reviewed, analysis performed, and corrective measures taken as applicable to ensure system effectiveness and minimize nuisance and false alarms. e. Data communication systems must include the communication among all devices and computers within protection systems operations, including communications between the sensors, alarm groups, and field processors. (1) Systems installed after 9-14-94 used in the protection of Category I and II, and roll-up to Category I or II quantities of SNM must employ redundant, independently routed, or separate communication paths to avoid a single-point failure to the CAS and SAS. Redundant routed communications paths to the SAS must not be routed through the CAS. (2) Data communications must comply with the following communications links. (a) Separate data and control communication paths must be established between field processors and primary and secondary host computers. (b) Redundant data and control communications must be established between primary host computer and secondary host computers. A fail- over system must be used to ensure that the loss or degradation of one host computer will not cause the loss of the second. (c) Redundant pathways must begin at a point on the data communication links to the field processors and be conveyed and reported independently to both the CAS and the SAS. (Note: Links must be routed so that the CAS does not control the communication links to the SAS or vice versa. A separate data communication link to the CAS, and another to the SAS does not satisfy this requirement because both must have redundancy.) (d) If the communication path is in a "loop" configuration, it must feature reverse polling to meet the redundant pathway requirement. f. The system must be configured so that authorized personnel may make adjustments on the site's physical protection system configurations, such as placement of sensors, alarm groups, cameras, and access control devices. (1) Parameters and capabilities identified as configurable must be configurable only by authorized individuals at the site, as designated in writing. (2) The system must provide a way to identify authorized personnel; the system must also provide the capability to enforce the requirement that two persons or more concur on site configuration changes. (3) The system must allow authorized individuals to create, query, modify, and delete system configuration items. This process cannot interfere with console operations. 4. CLOSED CIRCUIT TELEVISION ASSESSMENT SYSTEMS. CAS/SAS-integrated security systems must be interfaced to a video subsystem to provide CCTV assessment and surveillance capability. a. A fixed-lens CCTV system must be used when cameras are the principal means of alarm assessment. Movable pan-tilt-or-zoom lens cameras may be used for surveillance and as back-up to fixed primary assessment cameras. b. The intrusion detection alarms used for primary assessment must be integrated with a CCTV automated switching system with real-time features to have the capability to call the CAS/SAS operators' attention to a CCTV alarm-associated video recorder/monitor. c. The CCTV picture quality must allow the operator to recognize and discriminate between human and animal presence in the camera field-of-view. d. The video subsystem must as a minimum support two monitors to display live video and two monitors to display recorded video. e. The system must have the capability to automatically switch to the camera associated with the alarm event and to display that event in the CAS for assessment by the operators. f. Video recorders must be actuated by intrusion alarm signals and must operate automatically. (1) The response must be rapid enough to record an actual intrusion. (2) The system must be capable of capturing video information related to an incident 50 milliseconds before the alarm sounds to indicate that an incident has begun. (3) The system must override manual switching commands of non-incident video to display video associated with an incident (if there is not at least one monitor reserved for incident video only). (4) Operators must be able to manually override the automatic features and manually operate a CCTV camera associated with another event out of the priority order. g. When CCTV is used as the principal means for assessing alarms and determining response level, CCTV cameras must have tamper-protection and/or feature loss-of-video alarm annunciation. (1) A loss-of-video alarm is a feature built into the CCTV camera and annunciates when the picture is lost. Loss-of-video implies that the picture has degraded to the point that the operators cannot identify objects within the camera's field of view. (2) CCTV cameras not protected by installation inside the perimeter intrusion detection and assessment system sensors must feature both tamper-protection and loss-of-video alarms. h. When CCTV is used as the primary assessment of the perimeter intrusion detection system, the coverage must be complete, with no gaps between zones and no areas that cannot be assessed because of shadows or objects blocking the camera fields. When such conditions are temporary, compensatory measures are required. i. Adequate lighting must be maintained on the PIDAS sensor zones and the isolation zone for CCTV assessment and surveillance 24 hours a day. When such conditions are not met, compensatory measures are required. j. Two consoles, one in the CAS and one in the SAS, are required to ensure that all camera control, and video recording can be performed at either console. The CCTV subsystem must be co-located with the CAS/SAS computers and servers. The system must be able to lock out those control functions from inoperable consoles. 5. NORMAL AND BACKUP POWER SUPPLIES. Normal on-site power must be provided for all physical protection systems equipment. Backup and emergency power supplies must be provided according to the requirements of this Manual, Chapter VII, and VIII. 6. OTHER REQUIREMENTS. Access to other areas designated as security areas by local procedures must be controlled and protected. a. Operating and equipment areas that contain relays, switches, electronic devices, and other dust-sensitive equipment must be designed to be relatively dust-free. To minimize dirt and dust, these areas must be windowless and without skylights or roof windows. All exterior doors must be weatherstripped. Access must be through vestibules, foyers, corridors, or other buffer areas. b Operating areas must be located and constructed to minimize outside noise interference and treated acoustically to maintain a low internal sound level commensurate with operating requirements. c. Shielded conduit and enclosures must avoid internal building support columns, which would degrade the efficiency of the enclosure. d. Flexible, shielded, conduit connections for communications cables serving security areas with hardened centers, vaults, vault-type rooms, etc., must incorporate sufficient slack to withstand potential displacement without impairing the installation or requiring the replacement of cables. Designers must provide floor inserts to secure the equipment to the floor through shock mounts designed to withstand anticipated blast effects. Ceiling inserts must be provided to brace equipment racks and cabinets and to support overhead cable racks or trays. e. Where radio communications or control equipment requires one or more exposed antennae having no significant blast resistance, the design must allow the antennae to be replaced from inside the shelter. Normally retracted "pop-up" antennae, operable from inside the hardened area, must be provided. f. Information on lightning protection is available in Military Handbook-419. For additional information, refer to Federal Information Processing Standard (FIPS) PUB 94. g. All electrically grounded towers must be electrically protected in conformance with National Fire Protection Agency (NFPA) 78. Ground conductors must be without intervening splices and protected against mechanical damage. If ground conductors must be enclosed within a tower foundation, separate ground conductors must be brought to at least two legs of the tower and extended to the air terminal. The emergence point at which ground conductors emerge from the foundation must be sealed against moisture. Ground conductors must also be protected against mechanical damage. Where guy supports are used, ground rods must be installed at each anchor and connected to all guys terminating at that location. A ground counterpoise system must be used only when required to meet the needs of the communications system or as necessary to ensure effective grounding. CHAPTER VII PROTECTION OF SECURITY SYSTEMS ELEMENTS 1. GENERAL PROTECTION REQUIREMENTS. Security-related equipment must be protected from unauthorized access in a graded manner consistent with the security interest under protection. a. System components used to protect Category I and II, and credible roll-up to Category I and II quantities of SNM, vital equipment, and Top Secret and Secret classified matter must be protected with tamper-indication in both the access and the secure modes. b. Tamper indication is required for intrusion detection/alarm devices, wiring between detection/alarm devices and data gathering panels, RF alarm transmission links, and transmission lines from data gathering panels to annunciators and/or alarm stations. c. Exposed data communications-related wiring (both interior and exterior) for intrusion detection devices and systems used to protect Category I and II quantities of SNM must be protected by rigid conduit (e.g., flexible rigid conduit may be used). d. System components used to protect Government property and security interests other than those itemized above must be protected, consistent with a cost/benefit analysis determined by each facility. e. Sites/facilities must protect the location of a CAS as follows. (1) CASs and SASs must be protected according to the requirements in Chapters VI and VII of this Manual. (2) Commercial CASs must be UL Class AA installations. 2. PROTECTION OF AUTOMATED INFORMATION SYSTEMS. Sites/facilities must protect automated information systems as follows. a. All elements of an automated information system, including remote terminals, printouts, output devices, storage media, and memory, must be afforded physical security protection commensurate with the most highly classified security interest processed by the system. b. An automated information system facility must be located in a security area to provide adequate protection. The physical protection must be commensurate with the most highly classified security interest handled by the system. The area or facility must be securely locked and alarmed when unattended by authorized personnel. c. The computer systems security officer must prescribe methods for limiting access to locations with automated information system remote terminals to authorized users. 3. PROTECTING AUTOMATED INFORMATION CENTERS AND REMOTE INTEGRATION POINTS. Automated information systems centers and remote interrogation points that process classified information must consider the following. a. A "control zone" is defined as (1) the inspectable space above, below, and around equipment and distribution systems that (2) is under sufficient physical and technical control to preclude interception of compromising emanations. The phrase "sufficient physical and technical control" means the degree of control necessary to ensure that the protective force responsible for protecting a controlled space has the authority and ability to investigate and remove any person or device of a suspicious nature that is detected. b. When contained within a larger limited area, automated information systems centers and remote interrogation points used to process classified information must have separate access controls and barriers. These access controls and barriers restrict access to classified information to only those persons with the need-to-know who require the information to perform their official duties. 4. PROTECTION OF RADIO CONTROL CENTERS. Critical and essential safeguards and security radio control centers must be protected at a minimum as a vital area. a The space and utility requirements of radio control centers must comply with DOE O 200.1, INFORMATION MANAGEMENT PROGRAM, dated 9-30-96. b. The following architectural requirements apply. (1) Centers essential to security functions must be without windows, skylights, and roof windows. (2) Barrier penetrations must conform to the 96-square-inch rule. 5. PROTECTION OF RADIO REPEATER STATIONS. Radio repeater stations must be protected and documented in the security plans. a. A radio repeater station must be placed in a location to ensure all-weather access for vehicles and personnel to the station building, antennae, standby generator plant, and fuel storage tank. b. The station must be designed to minimize risk of damage to the antenna structure and supporting guy lines from vehicular traffic and to provide for future expansion. 6. PROTECTION REQUIREMENTS FOR DESIGNATED SECURITY AREAS. Security requirements for DOE Sensitive Compartmented Information Facilities, Special Access Programs, or Top Secret areas where classified information is discussed, processed, stored, or produced are established by the cognizant program security office for that specific program. 7. PROTECTION OF PROTECTIVE FORCE POSTS. The nature of the threat determines the location and manning of fixed and mobile posts. a. When practicable, a protective force post must be situated to provide the best available, unobstructed view of the surrounding terrain. Planning for response times must address the delay provided by physical barriers after the intrusion is first detected. b. Protective force posts for controlling access to areas containing weapons, nuclear test devices, complete nuclear assemblies, or Category I or II roll-up quantities of SNM must meet the following requirements. (1) All routine and emergency fixed posts must be located to enhance the efficiency of routine duties and to ensure that likely routes of adversary ingress and egress are clearly observable. (2) Protective force posts must be constructed to the requirements for a hardened post contained in DOE 5632.7A. (3) Storage of weapons, ammunition, and explosives must comply with the requirements of DOE 5632.7A, Chapter VI, Paragraph 1b(2). c. In protective force towers intended to serve as fighting positions, consideration must be given to providing protected firing ports with hardened exterior walls and a minimum of 60 square feet of net floor area per person. 8. PROTECTION OF INTRUSION DETECTION SYSTEMS. The requirements for physically protecting IDS components are listed below. a. Panels. (1) The alarm control panel or data gathering panel must be protected by a detection device specifically intended for the protection of an enclosure. Otherwise, these data gathering panels must be located within the area of greatest protection; that is, inside the area being protected. (2) When these components are not installed in the area of greatest protection, the installation wiring from a control panel or data gathering panel to the alarm detection devices is to be physically protected from access or be alarmed to indicate attempted access. b. Enclosures and Junction Boxes. Electronic enclosures and junction boxes must be secured against unauthorized access and equipped with tamper alarms; otherwise, they must resist tampering (e.g., by means of seals, alarms, one-way screws, and/or by providing an indication of tampering). c. Line Supervision. Line supervision is required for IDSs protecting safeguards and security interests. For property, line supervision may be provided consistent with a cost/benefit analysis determined by each facility. Where data encryption is used, key changes must be made at 1-year intervals or whenever compromise is suspected. The requirements for line supervision are listed below. (1) Classes of Line Supervision. Performance-based definitions are listed below in descending order of protection. (a) Classes A through C apply to transmission of data bytes. In general, Classes A through C apply to alarm communication links between data gathering panels, between data gathering panels and central alarm computers or alarm annunciator panels, and between computers. 1 For Class A, as a minimum, the data transmission must comply with DOE O 200.1. 2 For Class B, as a minimum, the data transmission must be treated in one of the following ways: a encrypted using a proprietary encryption scheme, which results in non-repetitive communications; b pseudo random polling scheme; c nonencrypted data transmitted over fiber-optic cable enclosed in conduit; d nonencrypted data transmitted over fiber-optic cable monitored by an optical supervision system. 3 For Class C, unencrypted data transmission examples include the following: a RS-232, RS-485, etc., data transmissions standards; b standard repetitive polling schemes; and c exception reporting with repetitive polling for health checks. (b) Classes D through F apply to transmission of information through changes in the analog signal. In general, Classes D through F apply to alarm communication links between a sensor and a data gathering panel. 1 Class D supervision combines various frequencies of ac, pulsed dc, or a combination of AC and DC. 2 Class E supervision is an AC signal. 3 Class F supervision is a DC signal. (2) Line Supervision Options. Different combinations of line supervision are allowed depending on link routing. Different examples of an alarm communication link remaining within the security area, going through a lower security area, are required for the two primary segments of alarm data transmission: from sensor to data-gathering panel and from data-gathering panel to data-gathering panel or central processing unit. d. Alarm Annunciation and Response. Line supervision alarms for data-gathering panel to data-gathering panel or data-gathering panel to central processor (Classes A through C) are to be annunciated in both the CAS and the SAS, indicating the type of alarm (data error, loss of communication, tamper, etc.) and the affected equipment. (1) Sensor to data-gathering panel (Classes C through F) line supervision alarms are to be annunciated in both the CAS and the SAS, indicating the sensor or sensors affected. Multiple tamper switches associated with the same protection system component device (e.g., data gathering panel, junction box, or alarm point) may be wired (daisy chained) together as a single tamper alarm to the monitoring station. (2) Protective force personnel must be put on alert and system maintenance personnel notified when line supervision alarms indicate a loss of only one communications path of a redundant system. (3) Line supervision alarm, tamper alarm, or RF alarm events [e.g., "statement of health" (SOH) alarm, sensor alarm, tamper alarm, and RF jamming indications] must be treated the same as an intrusion alarm for the area being protected. Therefore, the protective force must respond along with maintenance personnel. (4) On annunciation of a tamper or line supervision alarm, the alarm condition must be assessed by maintenance personnel and the CAS/SAS personnel. (a) Tamper/line supervision alarms must be tested through the range of required operation to verify effectiveness, including the testing of the capabilities of the alarm system components being protected by the tamper alarm (i.e., balanced magnetic switch, microwave, passive infrared ). (b) Compensatory measures must be implemented to protect the alarmed location until the required testing and repairs, if applicable, are completed. (c) To negate the possibility of signal substitution, alarms must be tested through physical actuation rather than by a computer-generated, remote-test feature. TABLE 2. ALARM SYSTEM PROTECTION REQUIREMENTS TABLE 2. ALARM SYSTEM PROTECTION REQUIREMENTS (continued) CHAPTER VIII PROTECTION ELEMENT: INTRUSION DETECTION AND ASSESSMENT SYSTEMS 1. GENERAL REQUIREMENTS. The PIDAS must be installed to provide reasonable assurance that breaches of security boundaries are detected and that alarms annunciate at a CAS. The following requirements apply to intrusion detection and assessment systems. a. Real-time intrusion detection and assessments are required. b. Intrusion detection and assessment systems must effectively address all normal environmental conditions common to that area under all common types of lighting conditions. c. An effective method must be established for assessing all IDS alarms (e.g., intrusion, false, nuisance, system failure, and tamper) and radio when RF is used for to protect Category I SNM). (1) IDS alarms must be assessed in a timely fashion by either the protective force or by means of an electronic system like CCTV. (2) CCTV assessment systems used as primary assessment for perimeter intrusion detection alarms must be fixed in place (i.e., not pan, tilt, or zoom). (3) Protective force personnel used in place of or to supplement IDS alarms must conduct their patrols at random intervals, at a documented frequency. d. Response capability to IDS alarms must be provided to protect DOE safeguards and security interests. Response times must be appropriate for the protection strategy employed at the site, or as required in Chapter III of this Manual. The response capability may be provided by assigned protective personnel or by the local law enforcement agency for property protection sites. e. The PIDAS must employ multiple detection layers for protecting Category I and II, and roll-up to Category I or II quantities of SNM. Complementary sensor selection is required when multiple types of sensors are deployed. f. Intrusion detection systems must be designed, installed, operated, and maintained to ensure that the number of false and nuisance alarms does not reduce system effectiveness. (1) While maintaining proper detection sensitivity, each interior intrusion detection sensor must have a combined false alarm/nuisance alarm rate of less than 1 alarm per 2,400 hours of operation. (2) While maintaining proper detection sensitivity, each exterior intrusion detection sensor must have a combined false alarm/nuisance alarm rate of less than 1 alarm per 24 hours of operation. (3) If the alarms can be assessed at all times, either visually or by CCTV, a higher false alarm rate and nuisance alarm rate may be tolerated if such alarms do not degrade the system. This information must be documented. Even though higher rates are tolerated, the fact that an alarm occurred must be documented for analysis and trends purposes. g. Intrusion detection systems and their associated components, such as sensors, multiplexers, power supply cabinets, processors, junction boxes, and alarm access panels that service protected areas, material access areas, or vital areas, must detect tampering (e.g., by means of seals, alarms, one-way screws, and/or some other means). h. Intrusion detection systems must be monitored continuously by personnel assigned to assess alarms and intrusion activities. Monitoring personnel must initiate the appropriate responses. Primary monitoring and assessment of intrusion detection alarms must be accomplished by CAS/SAS personnel. i. Compensatory measures must be provided when the IDS is not in operation or is not operating effectively, or at temporary locations where a permanent IDS is not practical or cost-effective. j. Alarm monitoring systems must annunciate system status changes in the CAS/SAS, including system component failure and loss of primary power. k. The system must have a means of providing the location of the alarm to the system operator, response force, and/or maintenance personnel. l. For the protection of Category I and II, and roll-up to Category I or II quantities of SNM, all intrusion detection, system status, tamper alarms, and line supervision alarms must be annunciated in both the CAS and the SAS. m. Systems and system components protecting classified information must meet the requirements in Chapter III of this Manual. n. Systems and system components protecting Category I and II, and roll-up to Category I or II quantities of SNM must be operably, functionally, and performance-tested at a documented frequency in accordance with procedures established in DOE 470.1, Chapter III. The testing program for all other security interests must be developed and implemented in security planning documents. 2. INTERIOR INTRUSION DETECTION SYSTEM REQUIREMENTS. IDSs must be designed for economy of use, with redundant data communications paths for protecting Category I and II quantities of SNM. All IDSs must be provided a redundant, independent power source. a. The probability of detection for each safeguards and security physical protection system must be established and documented. b. The interior IDS must be capable of detecting attempts to bypass (i.e., any method for going around or over the detection zone of any sensor that is set with a finite detection zone) or spoof (any technique that allows a target to pass through the sensor's normal detection zone without generating an alarm) the IDS. Alarm systems must be designed, installed, and maintained to deter adversaries from circumventing the detection system. (1) The IDS must be tested when it is installed and at least annually thereafter to validate its detection probability and confidence level. (2) If operational testing or effectiveness testing indicates degradation of the IDS or any portion thereof, that portion of the IDS must be revalidated. c. Interior intrusion detection alarms used as compensatory measures for unattended openings in security barriers, portals, utility ducts, or other openings meeting the unattended openings requirements of Chapter V, Paragraph 2a(6), must be operational when the opening is not attended. d. Vaults and vault-type room intrusion alarms must meet the requirements of Chapter XI, Paragraph 2. Intrusion alarms must annunciate when vault openings are accessed. e. Interior alarms providing "envelope" protection inside material access areas, vaults, and vault-type rooms must overlap sufficiently to eliminate unattended openings and areas where intruders would not be detected. f. Balanced magnetic switches, when used, must initiate an alarm upon attempted substitution of an external magnetic field when the switch is in the normally secured position and whenever the leading edge of the door is moved 1 inch (2.5 centimeters) from the door jam. g. Volumetric detectors must detect an individual moving at a rate of 1 foot per second, or faster, within the total field-of-view of the sensor and its plane of detection. h. Systems must be functionally tested in accordance with established procedures at a documented frequency. i. Interior alarm systems protecting classified matter within security areas designated as limited areas or higher must provide the level of protection required by Chapter III of this Manual. 3. EXTERIOR INTRUSION DETECTION SYSTEM REQUIREMENTS. Exterior IDSs must be documented in the SSSP or security plan. Requirements for protected areas, material access areas, and vital areas are as follows. a. The perimeter PIDAS must be capable of detecting an individual (weighing 35 kilograms or more) crossing the detection zone walking, crawling, jumping, running, or rolling (at speeds between 0.15 and 5 meters per second), or climbing the fence, if applicable, at any point in the detection zone with a detection probability of 90 percent, and at a 95 percent confidence level. (1) The IDS must be tested when it is installed and at least annually thereafter to validate that it meets detection probability and confidence level requirements. (2) Any time the system falls below probability of detection, the system must be repaired and revalidated. (3) When calculating detection probability for multiple sensor systems, detection is assumed if any of the sensors detect the intrusion. b. Intrusion detection systems must cover the entire perimeter without a gap in detection, including the sides and tops of buildings situated in the detection area. c. For all openings in exterior barriers, unattended gates and/or portals, and culverts and sewers, intrusion detection capabilities must be at least as effective as the rest of the IDS and must meet the unattended openings requirements of Chapter V, Paragraph 2a(6). d. Intrusion detection systems must overlap sufficiently to eliminate areas of detection gaps or no detection. The length of each detection zone must be consistent with the characteristics of the sensors used in that zone. e. Perimeter IDSs must be (1) designed, installed, and maintained to deter adversaries with the means to circumvent the detection system; (2) provided with an isolation zone at least 20 feet (6 meters) wide and clear of fabricated or natural objects that would interfere with detection systems or the effectiveness of the assessment; (3) free of wires, piping, poles, and similar objects that could be used to assist an intruder traversing the isolation zone or that could assist in the undetected ingress or egress of an adversary or matter. Exceptions to this requirement must be protected by the detection and assessment system or constructed in a manner that deters their use as a means of entering or leaving the area. f. The detection zone of each IDS must be kept free of snow, ice, grass, weeds, debris, and any other item that degrades IDS effectiveness. When this action cannot be accomplished in a timely manner, and detection capabilities become degraded, compensatory measures must be taken to provide timely detection. g. Exterior IDSs require the following. (1) Exterior IDSs must be designed to avoid unnecessary duplication of facilities. Auxiliary power supply facilities, exterior power supply pole lines, and underground power supply duct bank systems must be used jointly for the installation unless joint facility use degrades system performance. Joint use must not expose the security system to damage or unauthorized access. Power wiring and signal wiring may not share the same conduit. (2) Exterior IDSs must provide supervisory and line-tamper circuits commensurate with the requirements in this Manual. h. Intrusion detection systems protecting classified matter within security areas designated as limited areas or higher must provide the level of protection required by Chapter III of this Manual. i. The PIDASs designed for property protection must provide reasonable probability that intruders will be detected as documented in the security plan. 4. ANNUNCIATION AT THE ALARM STATIONS. The following requirements apply to IDS alarm annunciation at the CAS and the SAS. a. Facilities that use commercial alarm station monitoring services to protect Category I and II, and roll-up to Category I or II quantities of SNM and Top Secret matter must connect the sensors by direct, continuously supervised, leased line, or other means that will distinguish DOE facility alarms from all alarms for other customers that are monitored by the service. b. CCTV systems integrated with the alarm station must employ a method to call the alarm station operators' attention to the CCTV monitor when it displays an alarm point activation. 5. RADIO FREQUENCY ALARM COMMUNICATIONS. The RF communications link that replaces the direct hardwired communications link between the sensor and the CAS display panels must maintain a high level of security. a. RF alarm communications systems used to protect Category I SNM are limited to emergencies and temporary situations. (The requirements of this paragraph do not apply to mobile and SNM presence alarm monitoring systems.) b. Emergency and temporary use of RF alarm communications may not exceed 7 days per application and no more than 21 days in a calendar year. c. RF alarm communications systems, as a minimum, must meet all of the following requirements. (1) The RF alarm communications system must be used only as a redundant or alternate path; being hardwired is the primary method. Using two RF frequencies to protect Category I - one as the primary and the other as the secondary path - does not satisfy the DOE requirement for redundant communications paths. Compensatory measures will be required. An exposed, supervised, hardwired system used along with RF may be adequate as a redundant communication path for temporary applications. (2) The systems must provide redundant, self-checking alarm communication paths that annunciate system failure in the alarm stations. Alarm messages that are not acknowledged because of a blocked transmission path must be latched and communicated later through a status or SOH message. (3) The SOH interval must allow for an assessment and response. (4) RF alarm communication systems must be capable of automatically changing the SOH and alarm messages so the messages are not always the same. (5) The system must be capable of detecting and annunciating intentional and unintentional RF jamming. (6) The system must provide unique status change messages for alarm, tamper, and power conditions. (7) The system must provide random or operator-initiated polling features to ensure communication link integrity. (8) Digital Encryption Standard (DES) encryption or other Government-approved encryption techniques must be used for SOH and alarm messages. (9) The enclosure must have tamper-resistant or tamper-alarmed transmitters in both the access and the secure modes. (10) The system must have battery back-up capabilities. (11) The system may not produce spurious signals that interfere with other security systems components. (12) The system must provide a unique electronic address code for each sensor and line supervision from sensor to transmitter. (13) The system must provide a means of interfacing to the alarm annunciation system (i.e., the CAS). (14) Compensatory measures must activate immediately if all or part of the system is being jammed, or if communications are otherwise lost or destroyed. (15) The system must provide communications in all weather conditions and provide immediate compensatory measures if communications are lost or degraded for more than 10 seconds. No alarm data may be lost during the period of lost or degraded communications. (16) The system must address multiple alarm scenario procedures to ensure system credibility is maintained (i.e., that it is not diminished). d. In addition to the above requirements, the site must implement the following procedures to ensure that the system (1) operates in Government frequency bands; (2) is installed and maintained by using the "two-person" rule; (3) is not changed on a network (e.g., from secure mode to access mode); and (4) is functionally tested in accordance with established performance assurance procedures at a documented frequency (DOE O 470.1, Chapter III). e. A vulnerability assessment must be conducted on the site system before it is installed to determine system risk to being "spoofed," "bypassed," or "jammed." 6. LIGHTING REQUIREMENTS. Lighting systems must be adequate to protect the safeguards and security interest. a. Protection system lighting must meet the following criteria: (1) Illumination must be adequate to detect adversaries, to reveal unauthorized persons, and at pedestrian and vehicular entrances, to allow examination of identification and vehicles. (2) Illumination must be adequate to protect classified matter. (3) Maximum use must be made of high-efficiency, high-intensity discharge (HID) lamps, such as metal halide or high-pressure sodium vapor lamps. HID lamps are highly efficient and economical in operation, and their use in protective lighting systems is encouraged. (4) Where lamps require a relight period following a power interruption, and continuous lighting is required, a standby lighting system is required to ensure minimum protective lighting continues during lamp startup and re-strike periods. Accordingly, fixtures next to each other must, when practical and appropriate, be placed on different circuits so that only part of the lighting is extinguished if one circuit becomes inoperative. (5) Facilities requiring protective lighting must have an auxiliary lighting capability of the type and size commensurate with the importance of the facility, the reliability of regular power sources, and the feasibility of using portable lighting equipment. (6) Other than at entry portals, lighting must not illuminate patrol paths or protective force personnel manning fixed posts; that is, lighting used to deter adversaries must illuminate outward from the fixed post. b. Interior lighting requirements for safeguards and security applications include the following: (1) Interior lighting systems must follow the Illuminating Engineering Society (IES) Lighting Handbook. Nonuniform lighting practices must comply with 41 CFR 101-20.116-2. (2) Lighting fixture types, location, and illumination levels must be coordinated with the equipment and functions of telecommunication, alarm, and automated data processing centers to provide the required illumination without (a) interfering with prompt identification of self-illuminated indicating devices, (b) creating reflecting glares that might detract from adequate observation of essential equipment, or (c) creating electrical or electromagnetic interference detrimental to proper operation of equipment. c. Exterior lighting systems must follow the IES Lighting Handbook. System control must use time clocks and/or photocells to provide illumination only when needed. Lighting systems for the protection of Category I and II quantities of SNM and quantities of SNM that roll up to Category I amounts, radiological sabotage targets, and Top Secret matter must have a primary and auxiliary power source. d. Protective lighting for Category I and II quantities of SNM and roll-up to Category I quantities must provide 24-hour visual assessment. (1) Lights must provide a minimum 2 foot-candle illumination at ground level for at least a 30-foot (9.14-meter) diameter around protective personnel posts and around exterior perimeter intrusion detection and assessments system isolation zones, and 0.2 foot-candle illumination for 150 feet (45.72 meters) in all directions. (2) Where protective lighting at remote locations is not feasible, protective personnel patrols and/or fixed posts must be equipped with night vision devices. Night vision devices must not be used routinely in lieu of protective lighting at entrances and exits but may be used if lighting is lost. (3) Light glare must be kept to a minimum if it hampers protective personnel. (4) Light sources on protected perimeters must be located so that illumination is directed outward wherever possible. (5) CCTV assessment must be supported with adequate lighting for the CCTV system employed. e. Protective lighting for other applications must be as specified in local security plans. 7. ELECTRICAL POWER REQUIREMENTS. All IDSs for protecting Category I and II, and roll-up to Category I or II quantities of SNM, radiological sabotage targets, and Top Secret matter must have a primary and auxiliary power source. a. Primary Power Supply. Power sources must contain a switching capability to facilitate operational testing to determine adequate auxiliary power sources. The following power supply requirements apply to safeguards and security. (1) Alarm and Communication Systems. Normal primary power must come directly from the on-site power distribution system or, for isolated facilities, directly from the public utility. Where several primary power sources are available, the most reliable source must be used. (2) Telecommunications, Alarm, and Automated Information Systems Facilities and Radio Repeater Stations. Essential equipment must be connected to an uninterruptible power supply (UPS) or to auxiliary power. Where continuity of service is required for critical cord-connected equipment, twist-lock-type connectors must be used. (3) Radio Control Centers. Power supply requirements must be determined assuming that all transmitters are keyed simultaneously while associated receivers and other equipment and building services are in operation. (4) Power Supply Lines. Circuits must be arranged so that faults, failures, or maintenance on less-critical circuits does not jeopardize critical loads. Protective devices must be used and coordinated for sequential operation from the load to the source. Line location must be established in accordance with clearance requirements stated in American National Standards Institute (ANSI) Standard ANSI-C2 and must be routed within established rights-of-way for each facility. Minimum rights-of-way must extend 5 feet beyond outside conductors. b. Auxiliary Power Sources. Auxiliary power sources must be used with intrusion detection and assessment, automated access control, and CCTV systems used to protect Category I and II, and roll-up to Category I or II quantities of SNM and Top Secret matter. Auxiliary power for systems used to protect other assets must be as approved in applicable security plans. The period of time necessary to implement contingency plans must be documented. (1) Transfer to auxiliary power must be automatic upon failure of the primary source and not affect operation of the protection system, subcomponents, or devices. (2) The CAS and SAS must receive an alarm indicating failure of the protection system primary power and transfer to the auxiliary power source. (3) Rechargeable batteries, when used, must be kept fully charged, or they must be subject to automatic recharging whenever the voltage drops to a level specified by the battery manufacturer. Non-rechargeable batteries must be replaced whenever their voltage drops 20 percent below the rated voltage or manufacturer's recommendations. An alarm signal must be activated at the CAS and SAS to indicate this condition. (4) Auxiliary power sources must have the capability to facilitate operational testing and routine maintenance. c. Standby and Auxiliary Systems. Standby and auxiliary systems must serve loads set forth in NFPA 110. (1) UPS must be provided for equipment that cannot sustain functions through the momentary power loss that occurs when an alternate power source comes on line and picks up the load. (2) Auxiliary power must be provided for protective alarm and communications systems as dictated by the system requirements. Auxiliary power must activate automatically if the primary power source fails; the switch to auxiliary power must be indicated at the CAS/SAS. The annunciator must be located in an occupied area and must indicate any problems with the auxiliary system. (3) Auxiliary or standby power must service security alarm and supervisory sensing devices that have been designated essential. (4) Auxiliary power systems must be capable of maintaining full operation of auxiliary loads for the full time specified (nominally, a minimum of 8 hours). Such power sources must have the necessary built-in features to facilitate operational testing on a periodic basis to verify their readiness. (5) Batteries, when required, must be rechargeable and must be kept fully charged when primary power is available. The charger must automatically switch from float to fast-charge rates at a preset drop in DC bus voltage. The charger must be capable of charging the battery from a fully discharged state to not less than 85 percent of the rated ampere-hour capacity within 24 hours. d. Uninterruptible Power Systems. A UPS must be provided for those loads requiring guaranteed continuous power. CHAPTER IX PROTECTION ELEMENT: ACCESS CONTROL AND ENTRY/EXIT INSPECTIONS 1. GENERAL REQUIREMENTS. The cognizant DOE security office must approve local procedures that implement requirements for access control and entry/exit inspections. The following requirements apply to all security areas. a. Access to a security area, as a minimum, requires verification of a valid access authorization and a valid DOE badge as required by Chapter XV of this Manual. b. Access control requirements must be layered in a graded manner at succeeding boundaries as appropriate for the situation. c. For standardization, the following approved procedures are required for personnel vouching and piggybacking. (1) Consistent with Paragraph (2) below, DOE and contractor personnel with the appropriate access authorization may vouch for or allow another person with the required access authorization level to enter a security area. (2) Each person entering a protected area or a materials access area containing Category I and/or II quantities of SNM must meet all requirements pertaining to access, need-to-know, and submit to entry inspections. Escorted personnel are allowed access to protected areas and material access areas when properly authorized, screened, and under supervision of an assigned escort at all times. (3) Personnel vouching for or permitting piggybacking of another into a security area must inspect the DOE security badge to ensure that it bears a likeness of the individual, and that he/she has the proper access authorization. (4) Time and safety permitting, all personnel within a vehicle are required to produce a valid DOE security badge when accessing a security area. Documentation of exceptions for personnel in vehicles not producing DOE security badges must be described in procedures. (5) Only escort personnel may vouch for or piggyback uncleared persons or persons with a lower access authorization into a security area that requires a higher access authorization and ensure risk mitigation. d. Means must be provided to deter unauthorized intrusion into security areas. Such means include the use of intrusion detection sensors and alarm systems, as specified in Chapter VIII of this Manual, and barriers, random patrols, and/or visual observation. The protection program must include suitable means to assess alarms. e. Automated access control systems may be used if the following requirements are met. (1) Automated access controls, when used for access to any security area, must, as a minimum, verify that the access authorization and the DOE standard badge are valid (i.e., that the badge serial number read by the system matches the serial number assigned to the badge holder). Badges must be validated by means of a PIN or other approved means (e.g., by protective personnel, by personnel-monitored automated access control portals, or by another method/system implemented in SSSP/security plan). (2) Remote, unattended automated access control system portals used to access protection-in-depth security areas do not require a second validation of the badge if (a) protective personnel validate the badge at the concentric security area envelope portals when the individual initially enters the area or (b) use of a PIN supplements presentation of the valid badge at the security area portal. (3) When remote, unattended automated access control system portals are used for access to security areas, the barrier penetration resistance of the unattended access control system portal must be equal to the surrounding building structure. The access control barrier must provide balanced resistance to bypass. (4) Automated access control system intrusion alarms (e.g., annunciation of a door alarm, duress alarm, tamper alarm, or anti-passback indication feature) must be treated in the same manner as an intrusion alarm for the area being protected. (a) Both the CAS and the SAS must be used to monitor and annunciate the automated access control system's intrusion alarm events used to protect Category I and Category II, and roll-up to Category I or II quantities of SNM. (b) Electronic portal search equipment (e.g., metal detectors) may annunciate locally to an individual capable of responding instead of annunciating at the CAS. 2. ACCESS CONTROL SYSTEMS PORTALS. a. Access control systems and entry/exit inspection portals must provide positive control that allows the movement of authorized personnel, vehicles, packages, and material along normal routes while detecting and delaying movement of unauthorized personnel and contraband. b. Portal designs must consider the following. (1) Exits from security areas must be adequate to satisfy the life safety requirements of NFPA 101. Some exits may be provided for emergency use only. (2) Entrances to and exits from security areas must be equipped with doors, gates, rails, or other movable barriers that direct and control the movement of personnel or vehicles through designated portals. (3) Door locks and latches used on security area perimeters must be adequate to satisfy the requirements of NFPA 101. (4) Motorized gate controls, where used, must be located within or immediately adjacent to protective personnel posts at access points. Motorized gates must be designed to facilitate manual operation. (5) Access control points must facilitate ingress and egress of emergency vehicles and fire protection equipment. (6) The number of access control points for each security area must be limited to one or more portals to maintain the barrier integrity. c. The following functions must be performed at access control points or portals. (1) A barrier to personnel entering security areas must be provided until entry is requested and authorized. (2) Portals directly protecting SNM must permit entry of only one person per request unless material surveillance procedures are required. (3) Access must be controlled whenever a request is made to go from a lower security area into another security area with increased protection requirements. (4) Entry and exit inspections must be conducted at access control points or portals to deter introduction of prohibited and controlled articles and unauthorized removal of the safeguards and security interest. 3. AUTOMATED ACCESS CONTROL SYSTEMS. Automated access control systems may be used in place of or in conjunction with protective personnel to meet access requirements. a. Equipment. Automated access control equipment, where used, must meet the following requirements. (1) A DOE security badge must be used to access electronically stored information relevant to the badge and badge holder. (2) The probability of an unauthorized individual gaining access through normal operation of the equipment must be documented. (3) The probability of an authorized individual being rejected for access through normal operation of the equipment must be documented. (4) The access authorization list must be updated when an individual's access authorization has changed or when the individual is transferred or reassigned. (5) Unattended badge readers at protected areas and material access areas must be equipped with anti-passback protection. b. Personnel Augmentation of Automated Access Control Systems. Automated access control systems may be used in place of or in conjunction with protective personnel to control access into security areas. If security areas require additional screening (e.g., at a protect ed area or material access area boundary), and when the PIN or biometric system is either not working or not implemented, protective personnel be utilized as documented in the SSSP. (1) The number of protective force personnel must be sufficient to augment inspections for contraband, with the automated access system determining final access. (2) Portals using automated access or badge reader systems for access control must ensure that the barrier portal provides the same level of protection as the portal controls. Size of the opening must not exceed the standards established by this Manual. c. Protection. Automated access control systems and associated equipment used to protect Category I and/or II quantities of SNM, vital equipment, and/or classified matter must be protected in the following manner. (1) Surveillance by authorized personnel and the use of structural safeguards or other protective devices is required to protect PINS, card reader access transactions, displays (e.g., badge-encoded data), and the processes of imputing, storing, displaying, or recording verification data. (2) Keypad devices that do not have scrambled-number keypads must be equipped with shielding or be installed so that an unauthorized person in the immediate vicinity cannot observe the selection of keys. (3) The system must record attempted unsuccessful, unauthorized access. (4) Automated access control systems are used to read data entered by the person requesting access; if the data is successfully compared to existing data, the portal is electrically unlocked. Where required, such systems must provide assurance that the material surveillance procedure has been met prior to allowing access. (5) Door locks opened by badge readers must be designed to relock immediately after the door has closed. (6) Transmission lines that carry access authorization and personal identification or verification data between devices/equipment must be protected to deter the introduction of data that would permit unauthorized access. (7) Access to records and information concerning access authorization and personal identification or verification data is restricted to individuals cleared at the same level as the information contained within the specific area or areas where identification data or PINs are used. Access to identification or authorization data, operating system software, or any identifying data associated with the access control system is limited to the least number of people possible consistent with operational requirements. (8) Records reflecting active assignments of badges, PINs, levels of access, security clearances, and similar system-related records must be maintained. Records concerning personnel removed from the system must be retained for 1 year unless a longer period is specified by other requirements. (9) Badge reader boxes, control lines, and junction boxes must be supervised, tamper-alarmed, or equipped with tamper-resistant devices. Data gathering panels, or multiplexers, and other similar equipment must be tamper-alarmed or otherwise secured. (10) Auxiliary power must be provided at installations where continuous service is required. 4. ENTRY/EXIT INSPECTIONS. The following safeguards and security requirements apply to entry and exit inspections. The inspection process must be documented in the SSSP or security plans and validated. a. Inspection Equipment. Metal detectors, SNM monitors, explosives detectors, and X- ray machines, as described below, must be used in lieu of or to supplement protective personnel conducting inspections for prohibited articles and Government property (e.g., SNM). (1) Inspection Elements. (a) Passage of individuals, vehicles, and/or packages through security area portal equipment must be observed and controlled by protective personnel. Hand-held and/or portable detectors, SNM monitors, etc., should be available to resolve alarms and as compensatory measures for power failures. (b) Auxiliary power should be provided to all portal inspection equipment. (c) Bypass routes around inspection equipment must be closed or monitored to deter unauthorized passage of personnel and hand-carried articles. (2) Measures must be taken to preclude the unauthorized changing of control settings on all portal inspection equipment. (3) Alarms must annunciate audibly and visually to attending protective force personnel. b. Exit Inspection Procedures. Where required, personnel, vehicles, and hand-carried items, including packages, briefcases, purses, and lunch pails, are subject to exit inspections to deter and detect unauthorized removal of safeguards and security interests from security areas. Collocated SNM monitors and metal detectors must be used to inspect personnel for SNM. Personnel may be inspected visually for classified matter or other safeguards and security interests. (1) Metal Detectors. Metal detectors are an acceptable means of inspecting for metallic SNM shielding. When credible theft scenarios do not require the detection of an object (such as lead), and when requirements are properly documented, detection limits suitable to specific situations must be established. (2) SNM Monitors. SNM monitors may be used to inspect for concealed SNM. c. Compensatory Measures. Compensatory measures must be available at each location in the event of portal search/inspection equipment failure. d. Inspection Procedures. Personnel, mail, vehicles, and packages must be inspected prior to or at entrances of security areas to prevent the introduction of concealed prohibited articles. (1) Explosives Detection. Explosive detection programs must provide assurance that explosives are not introduced without authorization. (a) Portal explosive detection systems must be used at the entrances to protected areas and material access areas to supplement the inspection process performed by protective personnel. (b) The detection capability must be based on the one-time introduction of the threat quantity. (c) The extent and frequency of detection activities must be determined by the cognizant local DOE authority for safeguards and security. Random detection may be performed at the property protection area and limited area boundaries. (d) Procedures for countering the introduction of explosives into a site/facility must address the introduction of explosives by all type vehicles. (2) Portal Metal Detection. Metal detectors used in the inspection process must provide assurance that weapons are not introduced without authorization. (a) Portal metal detectors used for protected area entry applications must, at a minimum, detect test weapons listed in Paragraphs 4d(2)(c), 1 and 2 below in all locations throughout the detection field. (b) Portal metal detectors used for material access area entry applications must, at a minimum, detect test weapons listed in Paragraphs 4d(2)(c), 1, 2, and 3 below in all locations throughout the detection field. (c) The following must be used as standard test weapons: 1 steel and aluminum alloy 0.25-caliber automatic pistol, manufactured in Italy by Armi Tanfoglio Giuseppe, sold in the United States by Excam as Model GT27B and by F.I.E. as the Titan (weight: approximately 343 grams); 2 Aluminum Model 7, 0.380-caliber Derringer, manufactured by American Derringer Corporation (weight: approximately 200 grams); 3 stainless steel 0.22-caliber long rifle mini-revolver; manufactured by North American Arms (weight: approximately 129 grams). (3) X Ray. X-ray machines used in the inspection process must be capable of detecting bulk and hand-carried prohibited articles entering protected areas and material access areas. (a) X-ray machines are used to reinforce and supplement both the explosive and metal detectors above. (b) X-ray machines must be capable of imaging a 26-gauge wire at Step 5 of an American Society for Testing and Materials (ASTM) step wedge. (Reference: American Society of Testing Materials Standard 792-88, Standard Practice for Design and Use of Ionizing Radiation Equipment for the Detection of Items Prohibited in Controlled Access Areas.) (4) SNM Monitors. (a) SNM monitors must meet detection requirements established in DOE M 474.1-1, and the physical protection requirements of DOE M 473.1-1. (b) False alarm rates may not exceed an average of one per 8-hour period. CHAPTER X PROTECTION ELEMENT: BARRIERS AND LOCKS 1. GENERAL REQUIREMENTS: BARRIERS. Physical barriers, such as fences, walls, doors, or activated barriers, must be used to deter and delay unauthorized access to security areas. a. Physical barriers must serve as the physical demarcation of the security area. (1) Barriers must be used to facilitate effective and economical use of protective personnel and to direct the flow of personnel and vehicular traffic through designated portals in a manner to permit efficient operation of access and entry control inspections. (2) Portals must provide a barrier resistance to bypass, and they must extend from the true ceiling to the floor and from barrier wall to barrier wall. (3) Permanent barriers must be used to enclose security areas, except during construction or transient activities, when temporary barriers may be erected. Temporary barriers may be of any height and material that effectively impedes access to the area. (4) Fences used for perimeter barriers must be installed not less than 20 feet (6 meters) from the building or material under protection. If the distances specified cannot be accommodated because of property lines, building locations, health and safety, or other site-specific considerations, and unacceptable risk is created, supplementary protective measures must be provided. The design criteria for fences and barriers are included in this chapter. (5) Barriers must provide adequate strength for protection with respect to the safeguards and security interests being protected. (6) Unattended openings in barriers must be protected as required in Chapter V, Paragraph 2a(6) (7) Wire mesh used to enhance penetration resistance must be 2 square inches or smaller mesh of No. 11 American Wire Gauge or heavier steel wire or expanded metal. (8) Sound attenuation for those areas designated for classified discussions must be incorporated in accordance with the Technical Surveillance Countermeasures Procedural Manual. b. Access delay times provided by the barrier used as a security area boundary must be documented. (1) Breaching tools used against the barrier must be documented. (2) Access delay times must be used in vital areas. 2. FENCING. When used for deterrence purposes, fencing must meet the following minimum construction requirements. a. Temporary Security Fencing. During construction or transient activities, temporary security fencing must be installed to (1) exclude unauthorized vehicular and pedestrian traffic from the construction site; (2) restrict authorized vehicular traffic to designated access roads; (3) protect construction materials and installed work from sabotage and curiosity seekers; (4) protect construction sites against vandalism or theft; (5) provide construction site integrity and a clear zone to suit site-specific conditions; and (6) provide consistency with site-specific security and protection goals and operational requirements. b. Permanent Security Fencing. When used for protection purposes, fencing must meet the following construction requirements. (1) Alternative barriers may be used instead of fencing if the penetration resistance of the barrier is equal to or greater than standard fencing. (2) Fencing must be limited to that required for safety, physical security, and activity control. Fencing must be grounded around substations, fuel storage areas, and other areas where static electricity or electrical discharge could create a hazard. (3) Areas under security fencing subject to water flow, such as bridges, culverts, ditches, and swales, must be blocked with wire or steel bars that adequately provide for the passage of floodwater but also provide a penetration delay equal to that of the security fence. (4) Depressions where water flow is not a problem must be covered by additional fencing suspended from the lower rail of the main fencing. Weed control may justify paving the area beneath fences. c. Security Fence Design Considerations. Safeguards and security fences must be designed to address the following considerations. (1) Fencing must extend to within 2 inches (5 centimeters) of firm ground, or below the surface if the soil is unstable or subject to erosion. Surfaces must be stabilized in areas where loose sand, shifting soils, or surface waters may cause erosion, thereby assisting an intruder in penetrating the area. Where surface stabilization is impossible or impractical, concrete curbs, sills, or similar types of anchoring devices extending below ground level must be provided. (2) Unattended openings, as described in Chapter V2a(6), must be protected. (3) Fencing Materials and Specifications. The following requirements apply to fencing materials. (a) Galvanized steel chain link fabric, consisting of a minimum of 11-gauge with mesh openings not larger than 2 inches, must be used at security areas. This fencing must be topped by three or more strands of barbed wire on single or double outriggers. Double outriggers may be topped with coiled barbed wire (or with barbed tape coil). When single barbed wire outriggers are used, they must be angled outward, away from the security area. (b) Overall fence height, excluding barbed wire or barbed tape coil topping, must be a minimum of 7 feet (2.13 meters). (c) Wood fencing may be used to comply with nonmagnetic requirements and to obstruct the view into limited personnel access areas. (d) Woven wire fencing should be limited to railway and highway rights-of- way. (e) Barbed wire fencing may be used for boundaries of open, undeveloped area. (4) Fence lines must be kept clear of vegetation, trash, equipment, and other objects that could impede observation or facilitate bridging. (5) Gate hardware for security fencing must be installed in a manner to mitigate tampering and/or removal (e.g., by brazing, peening, or welding). (6) Security fences are not required around property protection areas, unless documented in the SSSP or security plan. (7) Alternative barriers may be used in lieu of fencing if the penetration resistance of the barrier is equal to or greater than the standard fencing described in 2b above. (8) Where appropriate, the following design criteria must be shown on the facility drawings: (a) materials (e.g., fence fabric, posts, concrete, fence anchor sills or bottom rails, tension wires, barbed wire, and outriggers); (b) grading (e.g., horizontal alignment, vertical alignment, clearance from obstructions, utility crossings, and surface and subsurface drainage); (c) soil stabilization (i.e., �3-inch maximum variation in planar surface for microwave or active infrared); (d) permanent vegetation control [i.e., herbicide along the base of fence and within a clear zone 20 feet (6 meters) to each side of a fence or permanent pavement beneath a microwave or active infrared beam line]; (e) electrical grounding; (f) closures (e.g., gate sizes, types, clearances, hardware, motor operators, control systems, and direction of swing); (g) barrier heights including buildings located on the barrier to impede unauthorized access to security areas. (9) A clear zone must be provided along each side of security fence perimeters to facilitate intrusion detection and assessment. Double fences should be separated by a clear zone of at least 20 feet (6 meters). If this minimum distance is not possible, supplementary protective measures must be considered (e.g., greater fence height or other protective measures). (10) Vehicle barriers (i.e., wire-rope-type) must be considered for outside the inner fence where the secured perimeter bounds heavy vehicular traffic areas. (11) Posts, bracing, and other structural members must be located on the inside of secured perimeters. Where the galvanized finish has been removed or damaged during installation, the posts, bracing, and other structural members must be coated with zinc-enriched paint. (12) Electrical grounding must be provided for all permanent security fencing in accordance with the National Engineering Code. 3. PERIMETER ROADS AND WALKWAYS. All-weather patrol roads or walkways must be provided along the inside of the perimeter security fence surrounding security areas if the security fence is to be patrolled by protective force personnel. Turnouts must be considered for use at frequent intervals if roadway shoulders are not available for vehicle parking. 4. PERIMETER BARRIER GATES AND ENTRY CONTROL POINTS. The number of entry control points (ECPs) must be limited to establish and maintain security integrity. a. Points of vehicle and pedestrian access to security areas must provide the same level of protection as that provided at all other points along the security perimeter. b. ECPs must be designed to provide positive security control over vehicular and pedestrian traffic entering the secured area. ECPs must be structurally hardened, as necessary, to meet site-specific criteria. c. ECP designs must facilitate ingress and egress of emergency vehicles, such as fire protection equipment. d. Where feasible, the ECP must be placed within the protective barriers so that the ECP can be closed during low-traffic periods and the PIDAS enabled. This configuration must provide a continuous PIDAS zone at the barrier that encompasses the ECP. e. Motorized gates must be considered for primary access points. Where practicable, motorized gate controls must be located within protective force stations at each access point. Motorized gates must be designed to facilitate manual operation during power outages. f. Electrical continuity must be provided across all gate openings. Operating mechanisms for motorized gates must be grounded. g. The number of ECPs within each security boundary must be minimized. ECP design features must comply with NFPA 101. h. Primary and auxiliary alarm and communication systems must be provided between ECPs and the response force communications center. i A UPS must be considered for loads that, if interrupted, would degrade the security of the associated area. 5. WALLS. Walls serving as security area boundaries must meet the following requirements. a. Building materials must offer penetration resistance to, and evidence of, unauthorized entry into the area. Construction must meet local building codes. b. When transparent glazing material is used, visual access to the classified material must be prevented by the use of drapes, blinds, or other means. c. Insert-type panels (if used) must be such that they cannot be removed from outside the area being protected without showing visual evidence of tampering. d. Walls that constitute exterior barriers of security areas must extend from the floor to the structural ceiling, unless equivalent means are used. 6. CEILINGS AND FLOORS. Ceilings and floors must be constructed of building materials that offer penetration resistance to, and evidence of, unauthorized entry into the area. Construction must meet local building codes. 7. DOORS. Doors and doorjambs must provide the necessary barrier delay rating required by the security plan. As a minimum, requirements must include the following. a. Doors with transparent glazing material may be used if visual access is not a security concern; however, they must offer penetration resistance to and evidence of unauthorized entry into the area. (1) Doors that serve as the primary physical security barriers must provide penetration resistance equal to that of the adjoining walls, ceilings, and floors. (2) If visual access is not a factor, doors with glass panels may be used; however, glass door panels must comply with Paragraph 8b below, or be equipped with wire mesh fastened securely to the door, preferably on the inside. b. Where more than one door is required for a security area, single doors or double doors with a removable mullion between them must be used. c. Doors that serve exclusively as emergency and evacuation exits from security areas must- (1) not be accessible from outside the security area, (2) comply with NFPA 101, (3) not open into spaces of greater security, and (4) comply to DOE security requirements. d. Offices or rooms where Secret or Top Secret information is discussed on a recurring or routine basis must be secured and the discussions conducted according to the provisions of the DOE Technical Surveillance Countermeasures procedures. e. A sight baffle must be used if visual access is a factor. f. An astragal must be used where doors used in pairs meet. g. Door louvers, baffle plates, or astragals, when used, must be reinforced and immovable from outside the area being protected. 8. WINDOWS. The following design requirements must be applied to security windows. a. Frames must be securely anchored in the walls, and windows must be locked from the inside. (1) Windows may be installed in fixed (i.e., unopenable) frames so that the panes cannot be removed from outside the area being protected. (2) Where double or triple glazing is required, insulating glass units, not multiple glazing, must be used. (3) Windows and curtain walls must be designed for wind loads in accordance with the Uniform Building Code. (4) Windows used as the primary physical security barriers must (a) provide penetration resistance equal to the adjoining walls, ceilings, and floors; (b) be constructed of shatter-resistant, laminated glass panes of 9/32-inch minimum thickness or other material providing an equal degree of resistance. b. Visual barriers must be used if visual access is a factor. 9. UNATTENDED OPENINGS. a. Physical protection features must be implemented at all locations where storm sewers, drainage swells, and site utilities intersect the fence perimeter. b. Unattended openings in security barriers that meet the following criteria must be protected or compensatory measures applied: (1) the opening is larger than 96 square inches (619.20 square centimeters) in area and larger than 6 inches (15.24 centimeters) in the smallest dimension; and (2) the opening is located within 18 feet (5.48 meters) of the ground, roof, or ledge of a lower security area; or (3) the opening is located within 14 feet (4.26 meters) diagonally or directly opposite windows, fire escapes, roofs, or other openings in uncontrolled adjacent buildings; or (4) the opening is located within 6 feet (1.83 meters) of other uncontrolled openings in the same barrier. 10. ACTIVATED DISPENSABLE BARRIERS, DETERRENTS, AND OBSCURANTS. Activated dispensable barriers, deterrents, and obscurants, if used, must meet the following requirements. a. Obscurants must consider spatial density versus time. b. Other dispensable materials must be prudently implemented and individually evaluated for effectiveness of delay. c. Controls and dispensers must be protected from tampering and must not be collocated. 11. VEHICLE BARRIERS. Vehicle barriers must be used to preclude, deter, and where necessary prevent penetration into security areas when such access cannot otherwise be controlled. a. Above-grade vehicle barriers must be considered to preclude intruder concealment. b. Speed reducers must be considered for use at ECPs to slow approaching adversary vehicles to within vehicle barrier design limits if needed to achieve site-specific threat/target system response requirements consistent with the operational and protection goals of the facility. 12. HARDWARE. Screws, nuts, bolts, hasps, clamps, bars, wire mesh, hinges, and hinge pins must be fastened securely to preclude removal and to ensure visual evidence of tampering. Hardware accessible from outside the area must be peened, brazed, or spot-welded to preclude removal or otherwise secured by tamper-resistant hardware (e.g., nonremovable hinge pins). 13. GENERAL REQUIREMENTS: LOCKS. The requirements for security locks must be applied in a graded fashion. a. General. Consideration must be given to the safeguards and security interest being protected, the identified threat, existing barriers, delay time provided by the lock, and other protection measures afforded when determining which requirements to follow. b. Key Locksets. Key locksets must meet ANSI Standard A156.2, American National Standards for Bored and Preassembled Locks and Latches. c. Positive Locking Devices. Access doors to security posts must be provided with positive locking devices to prevent unauthorized entry. d. Lock Hardware. (1) Lock bars must be 1-1/4 inch (31.75 millimeters) by 3/16 inch (4.76 millimeters) or equivalent in cross section and constructed of material hardened to Rockwell C59 to C63 standards, including rivets. (2) Hasps and yokes on repositories containing classified matter must be constructed of material hardened to Rockwell C59 to C63 standards; be at least 1/4 inch (6.35 millimeters) in diameter or equivalent cross section; and be secured to the repository by welding or riveting. (3) Panic hardware or emergency exit mechanisms used on emergency doors located in security areas must be operable only from inside the perimeter and must meet all applicable Life Safety Codes. (4) Federal standard FED-STD-809 must be used for the neutralization and repair of GSA-approved security containers. e. Key Management. Security keys must be protected at the level approved by the security plan. An inventory and accountability system must be implemented. CHAPTER XI PROTECTION ELEMENT: SECURE STORAGE 1. GENERAL REQUIREMENTS. Classified safeguards and security interests must be protected as specified in Chapter III of this manual. Vaults, vault-type rooms, or security containers providing secure storage must meet the following requirements: a. Secure storage must be under the protection of intrusion detection alarms with a security force response and patrol capability as follows. (1) A vault must be under intrusion detection alarm protection with protective force response within 15 minutes of alarm annunciation. (2) A vault-type-room located within a limited, exclusion, protected, or material access area must be under intrusion detection alarm protection with protective force response within 15 minutes of alarm annunciation. (3) A vault located outside DOE security areas must be under intrusion detection alarm protection with protective force response within 5 minutes of alarm annunciation. b. Vaults must be fire-resistant, windowless, penetration-resistant enclosures with intrusion detection alarms on the doors. c. SNM vaults built after 7-15-74 for the Protection of Category I quantities of SNM, Attractiveness Level A, must be underground or below-grade construction. d. Locks must meet Federal Specification FF-L-2740. The existing three-position changeable combination locks on GSA-approved Class 5 security containers may continue to be used until replaced, or until October 1, 2012. All security containers placed into service after the date of this Manual must have a lock that meets Federal Specification FF-L-2740. e. Open storage of Secret and Confidential classified matter is allowed in a vault-type room and a vault-type room complex. Open storage of Top Secret material is allowed in a vault. (1) For open storage, perimeter walls, floors, and ceiling must be permanently constructed, attached to each other, and constructed to provide visual evidence of unauthorized penetration. (2) Doors for open storage construction must be constructed of wood, metal, or other solid material. Entrance doors must be secured with a built-in, GSA- approved three-position combination lock. f. Access to vaults and vault-type rooms must be strictly controlled and based on an appropriate access authorization and an authorized need-to-know. Persons without need-to-know and the appropriate access authorization must be under escort at all times. Supplementary protective measures to mask classified matter must be employed prior to access by cleared persons without need-to-know or visitors. 2. VAULTS AND VAULT-TYPE ROOMS. The minimum standards required for construction of vaults and vault-type rooms other than modular vaults apply to all new construction, reconstruction, alterations, modifications, and repairs. a. Vault Construction. Wall, floor, and roof construction must comply with nationally recognized standards of structural practice, to Executive Order 12958, Presidential Directive on Safeguarding Classified National Security Information. The requirement for thickness must be determined by the requirement for forcible entry delay times for the safeguards and security interest stored within, but must not be less than the delay time provided by 8-inch-thick concrete poured in place, with a minimum 28-day compressive strength of 2,500 pounds per square inch (17,237 kilo-Pascal). As an alternative to minimum concrete thickness or structural criteria specified in the following sections, activated barriers may be used to reduce construction and achieve the same delay time. (1) Doors. For a vault not containing SNM, the type of door and frame complying with Class 5 Standards of Federal Specification AA-D-600B, "Door, Vault, Security," must provide the desired level of protection. (2) Floor and Walls. Walls must be extended to the underside of the roof and ceiling slab above. (3) Roof and/or Ceiling. The roof and/or ceiling must be a monolithic, reinforced concrete slab. (4) Hardware. Heavy-duty builder's hardware must be used in construction, securely fastened to preclude surreptitious removal and to ensure visual evidence of tampering. Hardware accessible from outside the area must be peened, pinned, brazed, or spot-welded to preclude removal. (5) Miscellaneous Openings. Any unattended openings that meet the intent of the unattended opening requirement of Chapter V, Paragraph 2a(5), must be equipped with intrusion detection, or barriers such as 9-11 American Wire Gauge wire mesh, 9-gauge expanded metal, or rigid steel bars at least one-half inch (1.3 centimeters) in diameter and welded vertically and horizontally 6 inches (15.24 centimeters) on center. The rigid steel bars must be securely fastened at both ends to preclude removal. Where wire mesh, expanded metal, or rigid metal bars are used, reasonable assurance must be provided that classified matter within the vault cannot be removed with the aid of any type of instrument. After installation, the annular space between the sleeve and the pipe or conduit must be filled with lead, wood, waterproof caulking, or similar material to give evidence of surreptitious removal. (6) SNM Vault. An SNM Vault must be a penetration-resistant, windowless enclosure that has (a) walls, floor, and ceiling substantially constructed of materials that afford forced penetration resistance at least equivalent to that of 8-inch-thick reinforcement concrete; (b) any openings greater than 96 square inches in area and over 6 inches in the smallest dimension protected by imbedded steel bars at least 5/8 inches in diameter on 6-inch centers both horizontally and vertically; (c) a built-in combination locked steel door that in existing structures is at least 1-inch thick, exclusive of bolt work and locking devices, and that for new structures at least meets the Class 5 standards set forth in Federal Specifications AA-D-600B. (7) Modular Vaults. A modular vault approved by the General Services Administration (GSA) may be used in lieu of a vault for the storage of classified matter. The modular vault must be equipped with a GSA-approved vault door and locks, and intrusion detection alarms as specified in Chapter XI, paragraph 4.b. of this manual. b. Vault-Type Room Construction. The standard for constructions meet the requirements of Annex A to Executive Order 12958, Presidential Directive on Safeguarding Classified National Security Information. The following minimum standards are required for all new construction, reconstruction, alterations, modifications, and repairs of existing areas. (1) Hardware. Heavy-duty builder's hardware must be used in construction, securely fastened to preclude surreptitious removal and to ensure visual evidence of tampering. Hardware accessible from outside the area must be peened, pinned, brazed, or spot-welded to preclude removal. (2) Floors and Walls. Construction materials must offer resistance to and evidence of unauthorized entry into the area. If insert-type panels are used, a method must be devised to prevent the removal of such panels without leaving visual evidence of tampering. (a) Should any of the outer walls be adjacent to space not controlled by DOE, the walls must be constructed of more substantial building materials, such as brick, concrete, corrugated metal, etc. (b) If visual access is a factor, area barrier walls must be opaque or translucent. (3) Windows. Those windows that open and are less than 18 feet (5.48 meters) from an access point (e.g., another window outside the area, roof, ledge, or door) must be fitted with �-inch (1.3-centimeter) bars that are separated by no more than 6 inches (15.24 centimeters), plus crossbars to prevent spreading, and/or18-gauge expanded metal, or wire mesh securely fastened on the inside. (a) If visual access is a security concern, the windows must be closed and locked and made to be translucent or opaque. (b) During non-working hours, the windows must be closed and securely fastened to preclude surreptitious entry. (4) Doors. Doors must be of wood or metal and of substantial construction. Windows, panels, or similar openings must be secured with 18-gauge expanded metal or wire mesh securely fastened on the inside. Wooden doors must be of solid core construction, 1.75 inches thick, or faced on the exterior side with at least 16-gauge sheet metal. (a) If visual access is a security concern, windows must be translucent or opaque. (b) When doors are used in pairs, an astragal must be installed where the doors meet. (c) When used, door louvers or baffle plates must be reinforced with 18-gauge expanded metal or wire mesh fastened inside the area. (5) Ceilings. (a) When wall barriers do not extend to the true ceiling and a false ceiling is created, the false ceiling must be reinforced with wire mesh or 18-gauge expanded metal to serve as a true ceiling, or ceiling tile clips must be secured. 1 Any wire mesh or expanded metal used must overlap the adjoining walls and be secured to show evidence of any tampering. 2 When ceiling tile clips are used, a minimum of four clips must be installed per tile. The clips must be installed from the interior of the area, and each clip must be mounted to preclude surreptitious entry. (b) In some instances, there may be a valid justification for not erecting a solid suspended ceiling as part of the area. For example, in areas where overhead cranes are used to move bulky equipment, the air conditioning system may be impeded by the construction of a solid suspended ceiling, or the height of the classified matter may make a suspended ceiling impractical. In such cases, special provisions, such as motion detection devices, must be used to ensure that the area cannot be entered surreptitiously by going over the top of the barrier walls. (6) Miscellaneous Openings. Miscellaneous openings must meet the requirements for vaults given in Chapter V, Paragraph 2a(6). (7) A vault-type room used for storage of SNM, Attractiveness Level B, must be provided enhanced protection [e.g., by collocating the room with the protective force response station and/or activated barrier(s)]. 3. VAULT-TYPE ROOM COMPLEX. The vault-type room complex barriers must meet the penetration resistance, intrusion detection, and access control requirements of a vault-type room. a. Vault-type room safeguards and security criteria may be extended to multiple rooms, including an entire building. Individuals must be authorized for access to all safeguards and security interests within the vault-type room complex before they are allowed to enter, unless supplementary protective measures are employed. b. The general requirements for a vault-type complex are listed below. (1) Barrier requirements apply to the outer walls, floor, and ceiling. (2) Outer walls must extend from true floor to true ceiling. (3) Interior walls may extend only to a false ceiling and/or raised floor. (4) Interior doors, windows, and openings may exist between different work areas. c. The requirement to detect unauthorized access may be accomplished through direct visual observation by an individual authorized in the area or through intrusion detection sensors. Detection of "inner wall" penetration or motion within the vault-type complex is not required. False ceilings and raised floors are permitted. d. Intrusion sensors associated with walls, floors, and ceilings that are not under constant visual surveillance but are associated with the vault-type room complex envelope must be activated and functioning correctly at all times. 4. INTRUSION DETECTION SYSTEMS. IDSs are required for vaults, for vault-type rooms, and in some instances for containers used to store classified safeguards and security matter. a. Vaults. Doors or openings allowing access into vaults must be equipped with IDS devices. A balanced magnetic switch, or other equally effective device, must be used on each door or movable opening to allow detection of attempted or actual unauthorized access. b. Vault-Type Rooms. IDSs for vault-type rooms must be capable of detecting penetration through floors, walls, ceilings, and openings, or movement within the facility envelope, consistent with that required to remove or compromise security interests within the vault-type room. (1) Where IDS sensors are used to detect facility envelope penetration, the openings discussed in Chapter V, Paragraph 2a(6) of this Manual, must be referenced for the minimum required detectable size of penetration. The only exception is on-grade, concrete floors that do not require detection. (2) Where IDS sensors are used to detect movement within the facility envelope, sensor coverage must be provided for credible pathways from the facility envelope to the matter being protected. Credible pathways must consider visual protection and must be documented. If the distance between the true floor (or ceiling) and the false floor (or ceiling) does not exceed 6 inches (15.24 centimeters), intrusion alarms are not required between the two floors (or ceilings). (3) In addition to detecting penetration of the facility envelope or movement in the room, a balanced magnetic switch or other equally effective device must be used on each door or movable opening to allow detection of attempted or actual unauthorized access. (4) For open storage of secret matter within a PA, two physically separated barriers contained within concentric security areas, with separate entry controlled portals are required. In addition, the material must be contained in a locked facility or storage container, be equipped with intrusion detection systems, and provide access control to the entrance to storage facility. Need- to-know requirements must be maintained. Response forces and patrols must be capable of meeting response requirements of Chapter III of this manual. Refer to Chapter II of this manual for physical protection requirements for SNM. c. Security Containers: Security containers not equipped with locks meeting Federal Specification FF-L-2740, must be stored in a locked room or facility equipped with intrusion detection equipment, and within the minimum protection of a DOE designated Limited Area, depending upon the classification of the material stored. In addition, the security containers must be under the protection of intrusion detection alarms. Under the protection of intrusion detection alarms means that the containers must be protected within the protection envelope of intrusion detection systems with the alarm detection on the surface of the security containers or steel filing cabinets, or the material being protected. 5. SECURITY CONTAINERS. The GSA establishes the national minimum standards and specifications for commercially manufactured security containers. Containers purchased after 7-14-94 must conform to the latest GSA standards and specifications. a. Security Container Requirements. (1) Test Certification Label. Security containers, cabinets, or repositories must bear a test certification label on the inside of the locking drawer or door and must be marked "General Services Administration-Approved Security Container" on the outside of the top drawer or door. (2) Maintenance. Maintenance information must be maintained for all containers. A history for each security container describing damage sustained and repairs accomplished must be recorded on Form 809 and retained for the life of the security container. (3) Transfer of Security Containers. When a security container is transferred from one organization to another, the custodian from the original organization must certify in writing that all classified matter has been removed prior to the transfer. Certification must be made to the organization's security office and must include the security container's make and property tag number (or other unique identifying numbers or markings), the custodian's name and organization, and the statement "All classified matter has been removed from this (these) security container(s) prior to transfer from my (transferring) organization to (receiving) organization." b. Damage and Repair of General Services Administration-Approved Security Containers. Only appropriately cleared or escorted safe technicians or locksmiths may neutralize lockouts or repair any damage that affects the integrity of a security container approved for the storage of classified information. (1) Requirements in FED-STD-809, Neutralization and Repair of GSA Approved Containers, must be met for neutralization and repair of GSA- approved containers and vault doors. (2) Physically modified containers are not considered approved by the GSA. CHAPTER XII PROTECTION ELEMENT: COMMUNICATIONS 1. GENERAL REQUIREMENTS. Communications equipment must be provided to facilitate reliable information exchanges between protective personnel. The communications equipment must meet the following requirements. a. Facilities protecting Category I and II, and roll-up to Category I or II quantities of SNM must have a minimum of two different voice communications technologies to link each fixed post, CAS, SAS, and protective force personnel dispatch point within the facility. b. Alternate communications capabilities must be available immediately upon failure of the primary system. Channels considered critical to protective personnel communications must have backup stations. Records of the failure and repair of all communications equipment must be maintained in a form suitable for compilation by type of failure, unit serial number, and equipment type. c. A continuous electronic recording system must be provided for all security radio traffic and telecommunications lines that provide support to CASs in the interest of national security. The logging recorder must be equipped with a time track and must cover all security channels. d. Systems must remain operable during the loss of primary electrical power. 2. COMMUNICATION SYSTEMS. Communication is the most vital function of a protection system and must be transferred through the network quickly and reliably. Protection system communications must support two vital functions: alarm communication/display and protective force communications. a. Alarm Communication and Display. An alarm communication and display system must transmit alarm signals from intrusion detection sensors and display the information to a security alarm station operator for action. To be acceptable, a system must include fast reporting time (real-time reporting as specified in the SAMACs document), supervision of all communication cables, easy and quick discovery of single-point failures, isolation and control of sensors, and expansion flexibility. (1) Security Design Considerations. The alarm display system must address the following: (a) information to be displayed, (b) how to present the information, (c) how the operator will communicate with the system, and (d) how to arrange the equipment at the operator work station. (2) Integration. The alarm communication and display system must be an integrated system of people, procedures, and equipment designed to address the specific needs and resources of the site. (3) Alarm Assessment. The sensors must be connected to the alarm communication system and displayed at a CAS. The CAS operator must have a means to communicate with the response force for alarm assessment. Normally, two-way radios are used for this communication although paging systems and telephone lines are acceptable alternatives. b. Protective and Response Force Communications. Protective force communications include the procedures and hardware that allow members to communicate with each other. The most common system consists of radios that can operate on low power, are battery operated, and can be hand-held. (1) Design Considerations. The design of a communication system for the protective and response force must address specific features, complexity, resistance to eavesdropping, vulnerability to transmission of deceptive messages, and susceptibility to jamming. (2) Special Response Requirements. Special response team members are required to use digitally encrypted radio and channels that are separate from the normal operations channels. (3) Alternate Means of Communication. Alternate means of communication must be in place, such as telephones, intercoms, public address systems, hand signals, sirens, lights, pagers, couriers, computer terminals, flares, duress alarms, smoke, or whistles. 3. DURESS SYSTEMS. Facilities protecting Category I and II, and roll-up to Category I or II quantities of SNM must have duress capabilities from mobile and fixed posts. The duress system must meet the following requirements. a. Activation of the duress alarm must be as unobtrusive as practicable. The duress alarm must annunciate at the CAS and SAS, but not at the post that initiates the alarm. b. The duress alarm for a CAS must annunciate at the SAS, while the duress alarm for the SAS must annunciate at the CAS. 4. RADIOS. Fixed post radios, mobile radios, and portable radios must be provided to support operational security requirements and the special response team-SPO III requirements. a. The radio system must be capable of accessing operational and support channels used for security. (1) These radios must have sufficient power and sensitivity for two-way communications with the facility base stations on the primary channel. (2) Security communication channels must be restricted to security operations. b. Portable radios must (1) be capable of two-way communication on the primary security channel from within critical buildings and structures and (2) provide an alternate means of communication, if safety or process procedures prohibit transmission within a building or structure. c. Mobile radios and base station radios must be capable of maintaining two-way communication with the CAS on the primary channel. d. Base station radios, which are controlled from the CAS, must include emergency response channels. e. Portable radios must contain sufficient battery capacity to operate for 8 hours at maximum expected duty cycle. Procedures for radio exchange, battery exchange, or battery recharge can be used to meet this requirement. f. Radio repeater station exterior walls must be windowless. Roofs may not have skylights or roof windows. 5. ANTENNA TOWERS, POLES, AND MASTS FOR COMMUNICATIONS SYSTEMS. a. Antennas or reflectors, transmission lines, and other equipment to be mounted on the antenna structures and the location, number, height, material, arrangement, and orientation of antenna structures must comply with DOE M 200.1-1, and be coordinated with the local TEMPEST coordinator. b. Design drawings and specifications must be used as guidance for the following: (1) typical antenna mast suitable for supporting various types of VHF or UHF antennas (drawing shows mounting details); (2) underground, hardened, and remotely controlled telescoping pushup antenna structures and facilities for high-frequency applications. c. Where radio repeater antenna towers, poles, or masts are located away from the building, interconnecting cables must be placed underground or adequately supported by a messenger wire (or cable). The building end of the messenger wire must not be secured to the bulkhead panel unless the panel and appurtenances are designed to support the load. 6. SPECIAL RESPONSE TEAM RADIO COMMUNICATIONS. Special response team radio communications equipment must be capable of transmitting routine and emergency information. Equipment must meet all requirements of the radio system for the rest of the facility, except that the special response team two-way radios must be equipped with digital encryption that meets the requirements of DOE M 200.1-1, TELECOMMUNICATIONS SECURITY MANUAL. Special response team radio equipment must use channels separate from the normal operational channels. 7. TELEPHONE SYSTEMS. Basic underlying protection measures must be in place to prevent the compromise of classified or unclassified sensitive discussions in the vicinity of telephone instruments. a. Telephone Security Group (TSG) Standards must be used as the primary technical and policy resource for DOE for all aspects of telephone systems used in areas where classified information is discussed. See the TSG program manager for more information. b. On-hook security must be provided to all telephone instruments in areas where classified or sensitive government information is discussed as described in TSG 1, Introduction to Telephone Security, and in accordance with one of the following. (1) All telephone switches and specific TSG-approved telephone instruments must incorporate security features. These telephone instruments (listed below) must be part of the TSG type-accepted program and have been accepted for connection to telephone systems that in themselves have no inherent security features: (a) TSG 3, type-accepted program for telephones used with the conventional Central Office Interface; (b) TSG 4, type-accepted program for electronic telephones used with computerized telephone systems; (c) TSG 5, on-hook audio security performance specifications for any other telephone instruments or telephone systems. (2) Telephone instruments must be isolated from uncontrolled lines by means of approved disconnect devices, as outlined in TSG 6. (3) Implementation of TSG standards neither prevents the application of more stringent requirements nor satisfies the requirements of other security programs under the provisions of DOE M 200.1-1, TELECOMMUNICATIONS SECURITY MANUAL. CHAPTER XIII PROTECTION ELEMENT: MAINTENANCE 1. GENERAL REQUIREMENTS. Security-related subsystems and components must be maintained in operable condition. General policy and objectives are provided in DOE O 430.1, Life-cycle Asset Management. A regularly scheduled testing and maintenance program must be established. 2. CORRECTIVE MAINTENANCE. Corrective maintenance must be performed on site- determined essential and non-essential physical protection system elements. a. Corrective maintenance must be initiated within 24 hours of the indication that a malfunction of site-determined essential system elements has occurred for systems protecting Category I quantities of SNM, and roll-up to Category I quantities of SNM and Top Secret matter. b. Compensatory measures must be implemented immediately when any part of the essential system element protecting Category I quantities of SNM, and roll-up to Category I quantities of SNM and Top Secret matter is out of service. Compensatory measures must be continued until maintenance is complete and the essential system element is back in service. c. Corrective maintenance must be initiated within 72 hours of detection of malfunction for all other protection system elements protecting Category I and II SNM and Top Secret matter. Corrective maintenance for these other assets must be determined by the local safeguards and security approving authority. d. Protection system elements protecting Category III and IV quantities of SNM and Secret and Confidential matter must be initiated as prescribed in plant operation procedures for corrective maintenance. Compensatory measures must be applied to maintain the minimum protection requirements of Chapters II and III of this Manual. 3. PREVENTIVE MAINTENANCE. Preventive maintenance is required on critical safeguards and security-related subsystems and components. Preventive maintenance must comply at a minimum with manufacturer's specifications and recommendations. The following system elements must be included in a preventive maintenance program: a. intrusion detection and assessment systems, b. CAS and SAS communications and display systems, c. data and voice communications, d. protective force equipment, e. personnel access control and entry inspection equipment, f. package and matter inspection equipment, g. vehicle inspection equipment, h. security lighting, and i. security system-related emergency power or auxiliary power supplies. 4. MAINTENANCE PERSONNEL ACCESS AUTHORIZATION. Personnel who test, maintain, or service critical systems must have access authorizations consistent with the category of SNM and/or classified matter being protected, unless such testing and maintenance are performed as bench services away from the security area or are under the supervision of an appropriately cleared custodian knowledgeable of the system and/or critical component. Systems or critical components bench-tested or maintained away from a security area by personnel without the appropriate access authorization must be inspected and operationally tested by qualified and cleared personnel prior to being put into service. 5. RECORD KEEPING. Testing records must be retained in accordance with the requirements of records management procedures. CHAPTER XIV PROTECTION ELEMENT: POSTING NOTICES 1. GENERAL REQUIREMENTS. Signs must be posted at facilities, installations, and real property based upon the need to implement Federal statutes protecting against espionage, sabotage, or degradation of safeguards and security interests. a. Signs listing prohibited articles, as stated in Chapter V, Paragraph 1f of this Manual, must be posted at entrances to security areas. b. Warning signs and/or notices must be posted at entrances to areas under protection advising that physical protection surveillance equipment is operational. 2. TRESPASSING. DOE property must be posted according to statutes, regulations, and the administrative requirements for posting specified in this Manual. a. Statutory and Regulatory Provisions. (1) Section 229 of the Atomic Energy Act of 1954, as amended, and as implemented by Title 10 CFR Part 860, prohibits unauthorized entry and unauthorized carrying, transporting, or otherwise introducing or causing to be introduced any dangerous weapon, explosives, or other dangerous instrument or matter likely to produce substantial injury to persons or damage to property into or upon any facility, installation, or real property subject to the jurisdiction, administration, or in the custody of DOE. The statute provides for posting regulations and penalties for violations. (2) Section 662 of the Department of Energy Organization Act, as implemented by Title 10 CFR Part 1048, prohibits unauthorized entry upon and unauthorized carrying, transporting, or otherwise introducing or causing to be introduced, any dangerous instrument or material likely to produce substantial injury or damage to persons or property into or onto the Strategic Petroleum Reserve, its storage or related facilities, or real property subject to the jurisdiction, administration, or custody of DOE. The statute provides for posting regulations and penalties for violations. (3) Title 41 CFR Part 101-19.3 provides rules and regulations governing entry to public buildings and grounds under the charge and control of GSA. b. Posting Proposals. Requirements for the administration of posting proposals are as follows. (1) Conditions. Proposals for the posting of facilities, installations, or real property, or amendment to or revocation of a previous proposal, must be submitted when the following occurs. (a) The property is owned by or contracted to the United States for DOE use. (b) The property requires protection under Section 229, Atomic Energy Act of 1954, as amended, and/or Section 662 of the Department of Energy Organization Act. (c) A previous notice needs to be amended or revoked. (2) Contents. (a) Each posting proposal must contain the name and specific location of the installation, facility, or real property to be covered and the boundary coordinates. If boundary coordinates are not available, the proposal must furnish reasonable notice of the area to be covered, which may be an entire area or any portion thereof that can be physically delineated by the posting indicated in Paragraph 2c below. (b) Each proposal for amendment or revocation must identify the property involved, state clearly the action to be taken (i.e., change in property description, correction, or revocation), and contain a new or revised property description, if required. c. Posting Requirements. (1) Upon approval by the Director of Security Affairs, a notice designating the facility, installation, or real property must be published in the Federal Register; the notice is effective upon such publication, providing the notices stating the pertinent prohibitions and penalties are posted. (2) Property approved by the Director of Security Affairs for coverage under Section 229, Atomic Energy Act of 1954, as amended, must be posted at entrances and at such intervals along the perimeter of the property to provide reasonable assurance of notice to persons who enter therein. Signs must measure at least 11 inches by 14 inches (28 by 36 centimeters). d. Notification to the Federal Bureau of Investigation. Notification of the date of posting, relocation or removal of posting, or other change, and the identity of the property involved must be furnished promptly to the applicable office of the Federal Bureau of Investigation exercising investigative responsibility over the property. CHAPTER XV PROTECTION ELEMENT: SECURITY BADGE PROGRAM 1. GENERAL REQUIREMENTS. The DOE security badge is the Office of Safeguards and Security's approved security badge for access to all DOE facilities. The DOE security badge shall be issued to all Federal and non-Federal personnel and worn in plain view on the upper body during access to DOE facilities. a. Specifications for the badge are set forth in the DOE Badge Program document, published by the Office of Safeguards and Security. b. This DOE Badge Program provides the format for (1) uniform placement of required features such as organization identification, serial number, magnetic stripe, and photograph; (2) designated indicators for access authorizations; and (3) other features. c. The issuing authority's cognizant DOE security office must approve the local DOE security badge procedures, including approval of the badges. By approving the badge, the issuing authority ensures that the badges meet the design requirements provided in the DOE Badge Program Document. Any design parameters that are not met and cause the DOE employee and DOE contractor badges to be unacceptable for access to other DOE sites must be resolved between the issuing authority and the site where access is being denied. d. The issuing authority is responsible for educating badge holders on the proper use and responsibilities associated with DOE security badges. e. The cognizant DOE security office may exclude property protection areas from the requirement that personnel wear their security badges if the areas are not used exclusively for DOE interests and public access is invited, or when the areas are within the public domain, as on a college campus. In addition, the cognizant DOE security office may exempt DOE and DOE contractor facilities and operations involving access of fewer than 30 people in accordance with Paragraph 3d below. f. The issuing authority must approve procedures for recovering security badges, which must be carefully followed at each site. DOE badges must be returned to the cognizant DOE security office or otherwise recovered in the following situations: (1) Federal employees leave employment or are transferred; (2) DOE contractor or subcontractor personnel are either transferred or their contracts terminate or expire. 2. SECURITY BADGES. DOE badge categories are as follow. a. DOE Employee and DOE Contractor Employee Badges. These are the permanent DOE security badges that must be issued to Federal and non-Federal employees for access to sites throughout the DOE complex. (1) Only one permanent DOE badge may be issued to each employee. (2) The information for that badge holder must be entered into the Visitor Access Database (VADB), except for local site-specific badges as defined in "2d" below. The VADB is used to determine access privileges when the badge holder is visiting other DOE sites. (3) These badges must be issued by the organization/badging authority reporting to the DOE element holding the personnel clearance file. If the employee does not possess an active personnel security file, the badge must be issued by the employee's home site. b. Local Site-Specific Only (LSSO) Badges. The term LSSO applies to all non-standard DOE security badges. (1) LSSO badges include visitor badges, provisional badges, foreign national (FN) badges, and other site-specific badges designed and implemented to meet local requirements. (2) The cognizant local DOE authority for safeguards and security must prescribe procedures for the design, issuance, use, and return of LSSO badges. (a) The issuing authority must instruct the recipient that LSSO badges may only be used at the issuing site, as well as any other site limitations that may apply. (b) Sites may not grant admission to anyone using an LSSO badge issued by another site. (c) LSSO badges may be honored for access only at the site where they were issued. (d) LSSO badges issued by other than the local DOE safeguards and security authority and used in an attempt to gain access must be confiscated. However, LSSO badges may be used as photo identification in order to obtain an authorized locally issued badge and will not be confiscated in that situation. (e) The LSSO badge may or may not contain the individual's photograph. (3) DOE badge specifications allow LSSO provisional and visitor badges to follow the color coding for access authorization and be usable in the site automated access controls system. However, LSSO provisional and visitor badges must be distinctive in other ways to prevent their use at sites other than the sites where the badges were issued. c. Visitor and Temporary Badges. A procedure for the issuance of visitor and temporary badges must be implemented locally. The visited site must issue an LSSO badge for the on-site visit of authorized personnel who have not been provided a DOE security badge as described in the DOE Badge Program Document, Volume I. (1) An LSSO badge may be issued to visitors, such as military and other Federal agency personnel who require long-term access to DOE facilities but do not occupy full-time DOE positions. These visitors may be issued an LSSO badge if they possess a "Q" or "L" DOE access authorization or a "TS" or "S" clearance granted by a Federal agency other than DOE. This category includes (a) DOE contractors, local military, and other Federal personnel who are given site-specific access but whose duties do not require them to access other DOE facilities or Restricted Data and/or (b) those personnel awaiting DOE "Q" or "L" access authorization. (2) Personnel who are issued DOE LSSO security badges may not use their badges to enter any DOE facility other than the one where the badge was issued. (3) Visitors and military or other Federal agency personnel not provided with a permanent DOE security badge must follow the visitation procedures of the site to be visited as approved by the visited site's local DOE safeguards and security approving authority. (4) Visitors who hold an LSSO badge from another site and who request access to limited areas, exclusion areas, protected areas, and material access areas or classified information including sigmas must submit DOE F 5631.20, "Request for Visit or Access Approval," as indicated in DOE O 470.1, SAFEGUARDS AND SECURITY PROGRAM. (a) The request must be submitted by the individual's DOE sponsor if he/she travels in DOE's interest or by the individual's parent employer if he/she travels in the employer's interest. (b) Visit requests must be sent directly from visiting individuals' security officers to security officers at the sites to be visited. d. Provisional Badges. Provisional or temporary badges may be issued to DOE and contractor employees under the locally developed procedures as a temporary measure when badges are lost, forgotten, or stolen. Provisional or temporary badges may be designed without the use of the DOE standard badge colors to indicate clearance, and without the name and photograph. Provisional badges must clearly indicate the temporary nature of the badge. e. Foreign National Badges. Badges issued to FNS must be as follows. (1) Cleared Foreign National DOE Employees and DOE Contractor Employees. Cleared FNS must be issued a DOE security badge. The only difference between the cleared foreign national badge and the DOE standard badge is that the individual's country of citizenship must be displayed. The DOE security badge issued to the cleared FN must be issued by the organization/badging authority reporting to the DOE element holding the personnel clearance file. Cleared FNS must adhere to the requirements in DOE N 142.1, Unclassified Foreign Visits and Assignments, or the Classified Visit portion of the Safeguards and Security Program (DOE O 470.1) when visiting other DOE facilities. (2) Uncleared Foreign Nationals. This badge must be issued to uncleared employees who are not citizens of the United States, and whose duties require routine or regular access to DOE facilities in performance of their official duties. FNs who do not possess active personnel security files must be issued an LSSO badge by the employee's home site. These badges issued to uncleared foreign national employees must be red in color. (Note: The color red is reserved exclusively for uncleared foreign national badges. This color must not be used for any other type of LSSO badge.) f. Other Site-Specific Badges. LSSO badges may be developed and issued to address a variety of issues to meet site-specific requirements. These badges need not meet the standard DOE badge design given in the DOE Badge Program Document, but they cannot follow the color schemes used for DOE employee badges, contractor employee badges, or uncleared foreign nationals badges. 3. ISSUANCE, USE, RECOVERY, AND DESTRUCTION OF SECURITY BADGES. The requirements that apply to the issuance, use, recovery, and destruction of security badges are as follows. a. Issuance of Security Badges. Security badges that meet the requirements in the DOE Badge Program Document must be issued to all DOE employees and contractor employees who have been granted DOE access authorizations (see DOE O 472.1B). These badges must be used and accepted at other DOE sites and facilities. b. Site Usage. Appropriately-coded security badges must be used and accepted as evidence of an access authorization (or security clearance) and must be accepted for admittance to limited areas without need for additional badging. (1) Verification of an individual's DOE access authorization level and determination of "need-to-know" remain the responsibility of the individual or organization being visited prior to granting access to SNM or classified information. (2) The information on the magnetic stripe must not be used for any purpose other than access control. The information on the magnetic stripe must not be collected and stored outside of DOE access control applications. c. Individual Requirements. The individual receiving the DOE security badge is responsible for (1) protecting security badges against loss, theft, or misuse and reporting a lost, stolen, or misused badge to the cognizant security office within 24 hours of discovery; (2) maintaining the badge in good condition and protecting its integrity by ensuring that the badge is not altered, photocopied, counterfeited, reproduced, or photographed; (3) returning the security badge to the local safeguards and security authority when it is no longer valid or required; or (4) returning the security badge when requested by the supervisor, safeguards and security office, or protective force personnel; (5) wearing the badge conspicuously, photo side out, in a location above the waist and on the front of the body while having access to DOE facilities (this requirement may be nullified for health or safety reasons); (6) ensuring that badges are not used as a means of identification outside of DOE facilities or other Government facilities. d. 30-Person or Less Operation. (1) DOE security badges must be used at DOE and DOE contractor facilities and operations involving access of 30 or more people to safeguards and security interests and/or security areas. (2) Less-than-30-person operations may be excluded from the security badge requirement only when the nature of activities and involvements permits adherence to a personal recognition system that provides similarly high levels of assurance that unauthorized persons will not be allowed access to security areas, facilities, classified matter, or other security interests. e. Recovery of Security Badges. DOE security badges are the property of the Government and must be returned to the issuing office whenever an individual has terminated employment, is transferred (including transfer of contractor between contracts and when changing employment with contractors at the same site), or otherwise no longer requires the badge. (1) Individuals who no longer have a valid requirement for access to DOE facilities must surrender their badges to the local DOE issuing office. (2) Badges issued to employees, contractors, and other individuals must be recovered at the final security checkpoint or earlier, and the individual(s) must be escorted from the site if circumstances or conditions indicate such action is needed. Recovered security badges must be destroyed. (3) If a terminated employee's security badge is not recovered, the badge is to be treated as a lost or stolen badge and reported to the issuing office to prevent misuse of the badge. f. The badge may be recovered and reissued, with a new photograph, if the individual's appearance has changed significantly. g. Security badges that are no longer needed must be destroyed so that the badge cannot be reconstructed. If destruction is not immediate, badges must be stored in a secure manner until they can be destroyed. Provisional and visitor's badges that do not include individuals' photos must be recovered and may be reissued. 4. ACCOUNTABILITY OF BADGES. Records must be maintained by issuing offices showing the disposition of security badges. Such records must include, as a minimum, description and serial number of item issued, date of issuance, and name, organization, and date of destruction. a. Records. Records must be maintained in accordance with the requirements of the records management program. b. Lost Badges. A record of missing security badges must be maintained. Personnel and/or systems controlling access to security areas must be provided current information regarding missing badges in order to prevent security badge misuse. The loss or recovery of badges must be reported immediately to the issuing office. 5. PROTECTION OF SECURITY BADGE MATERIALS AND EQUIPMENT. Stocks of badging materials, unissued security badges, and badge-making and processing equipment must be stored to protect against loss, theft, or unauthorized use. All personnel with access to badge materials and badge-making equipment must have access authorizations or clearances to the highest level of security badges that would be required because of materials present. 6. BADGE VALIDATION. Protective personnel at access control portals must validate the security badge at all DOE facilities by touching all DOE security badges, including pedestrians or those inside vehicles, and ensuring that the badge photo matches the presenter's face and that the badge has not been altered. This standardized procedure applies at all portals where protective personnel validate the identity of the badge holder. Badge validation by protective personnel is not required at access control portals that rely on automated access control systems for entry into DOE facilities; however, other methods of validation may be required as specified in Chapter IX. APPENDICES CONTRACTOR REQUIREMENTS DOCUMENT DOE M 473.1-1, PHYSICAL PROTECTION PROGRAM MANUAL This Contractor Requirements Document (CRD) is issued to aid in the identification of requirements applicable to contractors, as stated in Paragraph 5 of the CRD attached to DOE O 473.1, PHYSICAL PROTECTION PROGRAM. All requirements contained in DOE M 473.1-1 apply to contractors with responsibilities for operating and administering the Department's physical protection program and/or for protecting safeguards and security interests. The requirements in this Manual must flow down to all subcontractors who have responsibilities for operation, administering, and/or protecting DOE safeguards and security interests. REFERENCES 1. Nuclear Waste Policy Act of 1982, Public Law 97-425, as amended. 2. Title 42 U.S.C. 7270b, Trespass on Strategic Petroleum Reserve Facilities, which a. authorizes issuance of regulations concerning unauthorized entry into or upon the Strategic Petroleum Reserve, its storage or related facilities, or real property subject to the jurisdiction, administration, or in the custody of the Secretary of Energy under Part B of Title I of the Energy Policy and Conservation Act (42 U.S.C. 6231-6247); and b. prohibits carrying, transporting, or otherwise introducing or causing to be introduced any dangerous weapon, explosives, or other dangerous instrument or material likely to produce substantial injury or damage to persons or property into or upon such property; and c. provides that any person who willfully violates regulations issued under 42 U.S.C. 7270b is guilty of a misdemeanor and must be punished upon conviction by a fine of not more than $5,000, imprisonment of not more than 1 year, or both. 3. Title 42 U.S.C. 2011, et seq. (Atomic Energy Act of 1954, as amended): a. Chapter 23, Subchapter XI, Control of Information, Sections 2162 2167, inclusive, which set forth the principles for the control of Restricted Data; b. Chapter 23, Subchapter XVII, Enforcement, Sections 2274 2277, which set forth the authority necessary to protect Restricted Data and property and establishes criminal penalties for violation of provisions of the Atomic Energy Act; c. Chapter 23, Subchapter XVII, Enforcement, Section 2278a, which sets forth the authority to issue regulations and establish penalties for violating these regulations relating to the entry upon or carrying, transporting, or otherwise introducing or causing to be introduced any dangerous weapon, explosives, or other dangerous instrument or material likely to produce substantial injury or damage to persons or property, into or upon any facility, installation, or real property of the DOE or the NRC. 4. Title 10 CFR 73.37, Requirements for Physical Protection of Irradiated Reactor Fuel in Transit, which identifies procedures for protecting licensee shipments of irradiated reactor fuel. Appendix D establishes training requirements for escorts of licensee shipments. Appendix E establishes levels of physical protection to be applied to international shipments. 5. Title 10 CFR Part 710, Criteria and Procedures for Determining Eligibility for Access to Classified Matter or Special Nuclear Material, which establishes policies on personnel security clearances. 6. Title 10 CFR Part 860, Trespassing on Department of Energy Property, which is issued for the protection and security of facilities, installations, and real property subject to the jurisdiction or administration of, or in the custody of, DOE. 7. Title 10 CFR Part 1048, Trespassing on Strategic Petroleum Reserve Facilities and Other Property, which is issued for the protection and security of (a) the Strategic Petroleum Reserve, its storage or related facilities, and real property subject to the jurisdiction or administration or in the custody of DOE under Part B, Title I of the Energy Policy and Conservation Act, as amended (42 U.S.C. 6231-6247); and (b) persons upon the Strategic Petroleum Reserve or other property subject to DOE jurisdiction under Part B, Title I of the Energy Policy and Conservation Act. 8. Title 41 CFR Chapter 101, Federal Property Management Regulations, which sets forth introductory material concerning the Federal Property Management Regulations System; its content; types; publications, including federal specifications and standards; authority; applicability; numbering; deviation procedures; as well as agency consultation, implementation, and supplementation. 9. Title 48 CFR Section 952.204-2, Security Requirements, which provides clauses to be included in contracts that involve or are likely to involve classified information, and Section 952.245-2, Government property (fixed-price contracts), which includes clauses to be inserted in all contracts and modifications to contracts involving Government property. 10. Title 49 CFR, Chapter I, Research and Special Programs Administration, Department of Transportation, Subchapter C, Hazardous Materials Regulations, which identifies Federal rules for packaging and transporting hazardous materials, hazardous substances, and hazardous wastes, and Section 173.22, "Shipper's Responsibility," which describes physical protection requirements for the shipment of unclassified irradiated reactor fuel. 11. Executive Order 12829, National Industrial Security Program, of 1-6-93, which establishes a single, integrated, cohesive industrial security program to protect classified information and to preserve the Nation's economic and technological interests. 12. Executive Order 12958, Classified National Security Information, dated 4-17-95, which provides requirements concerning classification of information. 13. DOE O 151.1, Comprehensive Emergency Management System, dated 9-25-95, which identifies overall policy and requirements for an emergency management system. Specifically, Chapter IV, Operational Emergency Hazardous Material Program, and Chapter V, Operational Emergency Events and Conditions, establish requirements for site-specific emergency plans and procedures for radiological emergencies (including malevolent threats or acts) occurring in DOE reactor and non-reactor nuclear facilities. 14. DOE O 200.1, Information Management Program, dated 9-30-96, which ensures DOE missions and goals, information, information resources, and information technology investment decisions will be made based on programmatic need. DOE M 200.1-1, Telecommunications Security Manual, provides for approved methods of transmitting Communications Security (COMSEC) material and COMSEC keying material. 15. DOE O 232.1A, Occurrence Reporting and Processing of Operations Information, dated 7- 21-97, which establishes a system for reporting operation information related to facilities and processing that information to provide for the appropriate corrective action. 16. DOE O 430.1A, Life Cycle Asset Management, dated 10-14-98, which establishes DOE policies and procedures for planning the development and use of sites and facilities, provides general policy and objectives for the management and performance of cost-effective maintenance and repair of property, and provides design criteria for use in the acquisition of the Department's facilities. 17. DOE O 452.1A, Nuclear Explosive and Weapons Surety Program, dated 01-17-97, which establishes DOE nuclear surety objectives. 18. DOE O 452.2, Safety of Nuclear Explosive Operations, dated 01-17-97, which establishes the responsibilities for nuclear safety, security, and control. 19. DOE O 460.1A, Packaging And Transportation Safety, dated 10-2-96, which establishes policies and procedures for approval of package designs for radioactive materials. 20. DOE O 460.2, Departmental Materials Transportation and Packaging Management, dated 9- 27-95, which establishes policies and procedures for materials transportation and packaging operations. 21. DOE O 470.1, Safeguards and Security Program, dated 9-28-95, which provides policies for the safeguards and security program; specifically paragraph f, which establishes the deviation program. a. Chapter I, Safeguards And Security Program Planning, which establishes a standard approach to protection program planning. b. Chapter III, Performance Assurance Program, which establishes a systematic process for demonstrating the adequacy and functional reliability of critical system elements. c. Chapter V, Facility Clearances And Registration of Safeguards And Security Activities, which establishes DOE requirements for on-site security and/or nuclear materials surveys of facilities with safeguards and security interests. d. Chapter VIII, Control of Classified Visits Program, which establishes standards and procedures for controlling visitors to DOE and DOE contractor, subcontractor, and access permitted facilities. 22. DOE O 471.2A, Information Security Program, dated 3-27-97, which establishes the policies, procedures, and responsibilities for the protection and control of classified and sensitive information, specifically Chapter III, Classified Information Systems Security, which establishes requirements, policies, and responsibilities for the development and implementation of a DOE program to ensure the security of information stored in classified computer systems. 23. DOE M 471.2-1B, Classified Matter Protection and Control MANUAL, dated 1-6-99, Chapter III, PHYSICAL PROTECTION, which establishes the physical requirements for the protection of classified matter. 24. DOE O 472.1B, Personnel Security Activities, dated 3-24-97, which establishes the policy, responsibilities, and authorities for implementing the DOE Personnel Security Program. 25. DOE O 474.1, Control And Accountability of Nuclear Materials, dated 8-11-99, which prescribes DOE policies and responsibilities for control and accountability of nuclear materials. 26. DOE M 474.1-1, Manual For Control And Accountability of Nuclear Materials, dated 8-11- 99, which implements DOE O 474.1 in that it prescribes the DOE requirements and procedures for nuclear material control and accountability. 27. DOE 1240.2B, Unclassified Visits and Assignments by Foreign Nationals, dated 8-21-92, which establishes authorities, responsibilities, and policy, and prescribes administrative procedures for visits and assignments by foreign nationals to DOE facilities. 28. DOE 1450.4, Consensual Listening-in to or Recording Telephone/ Radio Conversations, dated 11-12-92, which specifies the DOE policy regarding the consensual listening-in to or recording of conversations on radio and telephone systems. 29. DOE 5632.7A, Protective Force Program, dated 4-13-94, which prescribes DOE policies and responsibilities for the protective force charged with the protection of safeguards and security interests. 30. "Access Delay, Technology Transfer Manual," SAND 87-1926/UC-515, Sandia National Laboratories, dated 9-89, which defines the role of barriers in a physical protection program, provides a source for penetration times for barriers, and defines methods for upgrading existing barriers. 31. "Alarm Communication and Display Technology Transfer Manual," SAND 90-0729/ UC-515, Sandia National Laboratories, dated 5-17-90, which provides a description of the hardware and techniques required to implement an alarm communication and display system. 32. American Nuclear Standard Institute (ANSI) X3.92-1981 (R 1998), Data Encryption Algorithm, also known as FIPS 46.1. 33. ASTM E413-87(1999), "Standard Classification for Rating Sound Insulation." This classification provides methods of calculating single-number acoustical ratings for laboratory and field measurements of sound transmission obtained in one-third octave bands. The method may be applied to laboratory or field measurements of the sound transmission loss of a partition in which case the single-number ratings are called sound transmission class (STC) or field sound transmission class (FSTC), respectively. 34. ASTM F792-88 (1993)el, "Standard Practice for Design and Use of Ionizing Radiation Equipment for the Detection of Items Prohibited in Controlled Access Areas," which covers the use of ionizing radiation imaging techniques for the detection of questionable items, such as weapons and devices intended to trigger explosives, in order to determine their presence in hand-carried baggage, packages, checked or unaccompanied luggage, cargo, or mail at screening points for controlling access to secure areas. 35. CGSS-3, Classification Guide for Safeguards and Security Information, of 8-1-94, Office of Classification and Technology Policy, which provides classification determinations for National Security Information (NSI) concerning nuclear safeguards and various aspects of security and guidance for classifying documents and materials containing NSI, Formerly Restricted Data, and/or Restricted Data. 36. "Design Basis Threat for the Department of Energy Programs and Facilities (U)" of February 1999, issued by the Director of Security Affairs, which identifies and characterizes the range of potential adversary threats to the Department's programs and facilities, which could adversely affect national security, the health and safety of employees or the public, the environment, or DOE safeguards and security interests. 37. DCID 1/21, "Physical Security Standards for Sensitive Compartmented Information Facilities," dated 1-30-94, which provides standards for the protection of classified information requiring extraordinary security safeguards. 38. DCID 1/22, "Technical Surveillance Countermeasures," dated 7-3-85, which establishes the policy and procedures for the conduct and coordination of technical surveillance countermeasures. 39. "Entry Control Systems, Technology Transfer Manual," SAND 87-1927, Sandia National Laboratories, of 12-8-88, which compiles information regarding entry control systems and their application to physical protection programs. 40. "Exterior Intrusion Detection Systems Technology Transfer Manual," SAND 89-1923/UC- 515, Sandia National Laboratories, of 2-28-90, which discusses each class of detection systems and how to select the proper sensors and how to combine them into an effective perimeter subsystem. 41. Federal Specification W-A-450-C, "Alarm Systems Protective, Interior," which provides specifications for interior alarm systems. 42. Federal Specification AA-D-600B, "Door, Vault, Security," which provides specifications for vault doors. 43. Federal Specification AA-V-2737, "Modular Vault Systems," which describes a relocatable system for storing classified matter that provides a minimum of 15 minutes of protection against a multilevel tool attack, including torches, portable electric drills, power saws, hydraulic jacks, and other tools. 44. Federal Specification FF-L-2740, "Locks, Combination," which covers changeable combination locks designed to be mounted on safes, security files, vault doors, and similar items. 45. Federal Specification FF-P-2827, "Padlock, Key Operated, General Field Service," which describes two sizes of "U"-shaped shackle, key-operated, heavy-duty commercial padlocks. 46. Institute of Electrical and Electronic Engineers (IEEE) C37.91-1985 (R1990) "IEEE Guide for Protective Relay Applications to Power Transformers (ANSI)." 47. "Protecting Security Communications, Technology Transfer Manual," SAND 90-0397/UC- 515, Sandia National Laboratories, dated 1-90, which discusses the functions of a security communications network, its susceptibility to disruption, and the means by which security radio communications may be protected. 48. Safeguards and Security Glossary of Terms, Office of Safeguards and Security, of 12-18-95, which contains standardized definitions of terms used in the Safeguards and Security Program. 49. Underwriters Laboratories (UL) Standard 365-1994, "Standard for Safety for Police Station Connected Burglar Alarm Units and Systems," which states requirements covering construction, performance, and maintenance of police station connected burglar alarm units and systems. 50. UL Standard 752-1997, "Standard for Safety for Bullet-Resisting Equipment," which provides a standard for bullet-resisting equipment. 51. U.S. Department of Energy Security Container and Locking Device Guide, dated 10-93, which contains information on locks and security storage devices. 52. Video Assessment Technology Transfer Manual, SAND 89-1924/UC-515, Sandia National Laboratories, dated 8-21-89, which compiles information regarding video assessment systems used in physical protection programs. 53. Volume 50 FR 46452, "Federal Radiological Emergency Response Plan," dated 11-8-85, which describes Federal agency responsibilities during peacetime radiological emergencies including those in transportation.

DOE M 473.1-1 Draft 473.1-1 Physical Protection Program Manual <ORG> SO <SUMMARY> This Manual provides detailed requirements to supplement DOE O 473.1, Physical Protection Program, which establishes policy, requirements, responsibilities, and authorities for the physical protection of safeguards and security interests (e.g., Departmental property and assets on fixed facilities and in transit, including nuclear weapons, special nuclear material, vital equipment, and classified matter). This Manual contains 15 chapters that provide detailed requirements for protection of safeguards and security interests. <DATE_ISSUE> 02/9/2000 <DATE_CLOSE> <TEXT> <h3><b>To comment on this manual, please go to <a href="http://www.revcom.doe.gov">RevCom</a>.</b></h3> PHYSICAL PROTECTION PROGRAM MANUAL 1. PURPOSE. This Department of Energy (DOE) Manual provides detailed requirements to supplement DOE O 473.1, Physical Protection Program, which establishes policy, requirements, responsibilities, and authorities for the physical protection of safeguards and security interests (e.g., Departmental property and assets on fixed facilities and in transit, including nuclear weapons, special nuclear material, vital equipment, and classified matter). This Manual contains 15 chapters that provide detailed requirements for protection of safeguards and security interests. 2. APPLICABILITY. a. DOE Elements. This Manual applies to all DOE elements. b. Contractor. Except as excluded in Paragraph 2c below, this Manual applies to all covered contractors (i.e., any DOE contractor or subcontractor subject to DOE Acquisition Regulation, Part 952.204.2, or other clause requiring protection of classified information, nuclear material, or other sensitive information or activities) subject to the provisions of DOE O 473.1, to the extent implemented under a contract. Contractor requirements are listed in the Contractor Requirements Document (CRD), Attachment 1. The CRD is issued to aid procurement organizations in identifying the provisions of this Manual that are to be applied to DOE contractors, and they will apply to the extent implemented under a contract or other agreement. c. Exclusions. DOE facilities and activities regulated by the Nuclear Regulatory Commission. 3. CANCELLATIONS. DOE M 473.1-1 cancels DOE Manual 5632.1C-1, Manual For The Protection And Control of Safeguards And Security Interests, dated 7-15-94. The provisions of DOE O 6430.1A, General Design Criteria, have been incorporated into this Manual, canceling its security design criteria requirements. Cancellation of an Order or Manual does not, by itself, modify or otherwise affect any contractual obligation to comply with such an Order or Manual. Canceled Orders and Manuals which are incorporated by reference into a contract shall remain in effect until the contract is modified to delete the reference to the requirements in the canceled Order or Manual. 4. REFERENCES AND DEFINITIONS. a. See Attachment 2 for a list of references pertinent to the protection of safeguards and security interests. b. Definitions of terms commonly used in the Safeguards and Security Program are provided in the "Safeguards and Security Glossary of Terms," which is maintained and distributed by the Office of Safeguards and Security. 5. DEVIATIONS. Deviations (i.e., variances, waivers, and exceptions) from the protection requirements prescribed by DOE M 473.1-1 must be processed in accordance with DOE O 470.1, Safeguards And Security Program. The Office of Safeguards and Security deviation program is an approved process that meets the definition in DOE M 251.1-1, Directives System Manual, for exemptions. Deviations to this Manual must provide a 30-day window from receipt by the Department's Office of Safeguards and Security for comments and concurrence as stated in M 251.1-1. 6. ASSISTANCE. Questions concerning this Manual should be directed to the Program Manager, Protection Operations Program, at 301-903-5693. 7. IMPLEMENTATION. Any requirements that cannot be implemented within 6 months of the effective date of this Manual or within existing resources must be documented by heads of field elements and submitted to the program offices and to the Office of Safeguards and Security. CHAPTER I PROTECTION PLANNING 1. PLANNING. The details of site physical protection measures contained in this Manual must be addressed in the site safeguards and security plans (SSSP), as required by DOE O 470.1, SAFEGUARDS AND SECURITY PROGRAM, dated 9-28-95. a. In locations where an SSSP is not required due to the limited scope of safeguards and security interests, a security plan must be developed to describe the protection program. b. The graded physical protection measures provided various safeguards and security interests, including critical infrastructure assets, and DOE property, must be described, justified, and documented in the SSSP or in the security plans. 2. PROTECTION STRATEGY. Protection strategies must be selected, developed, and implemented to protect security interests as required by DOE O 470.1. The primary protection strategies that shall be in place for Category I and II quantities of special nuclear materials (SNM) are denial and containment, depending upon the security interest. Required secondary protection strategies for Category I and II quantities of SNM-that is, recapture, recovery, and pursuit must be developed and in place in the event that the primary protection strategy (denial or containment) fails. Overall site protection strategies shall be planned to incorporate both primary and secondary protection strategies, as needed. a. Strategies. Protection strategies shall be graded to address varying circumstances. (1) Denial Strategy. A denial strategy shall include the capabilities necessary to prevent an adversary from gaining unauthorized access to a security interest. (2) Containment Strategy. A containment strategy must include the capabilities necessary to prevent an adversary from escaping from a site and/or facility with the security interest. (3) Recapture Strategy. A recapture strategy must include the capabilities necessary to locate and/or regain control of a security interest, which that is under unauthorized control while still within the confines of a DOE site/facility. The recapture strategy must ensure that, at a minimum, adversaries are neutralized prior to the completion of established adversary tasks times. (4) Recovery Strategy. A recovery strategy must include the capabilities of locating necessary to locate and/or regain control of a security interest, which that is under unauthorized control, and that has been removed from within the confines of a DOE site/facility. (5) Pursuit Strategy. A pursuit strategy must include the capabilities of giving necessary to give chase for the purpose of regaining control (recovery) of a security interest, that is under unauthorized control and that has been removed from within the confines of a DOE site/facility. b. Strategies for Specific Security Interests. (1) Those DOE facilities that possess, transport, process, and store safeguards and security interests, (for example, Category I quantities of SNM) where unauthorized access presents an unacceptable risk (for example, detonation of a nuclear device, theft of a device, or creation of an improvised nuclear device or nuclear dispersal device) must be protected with a denial strategy designed to prevent unauthorized access to the security interest. (a) The denial strategy must use protection measures (e.g., personnel reliability programs, denial barriers/systems, protective forces, etc.) to ensure that unauthorized access is not achieved. (b) Should the denial strategy fail, an immediate and timely recapture strategy must be in place to ensure that, at a minimum, adversaries are neutralized prior to the completion of established adversary task times. (c) Should the adversary escape with the security interest, robust recovery and pursuit strategies must be implemented. (2) Those DOE facilities that possess, transport, process, and store Category I quantities of SNM where unauthorized access does not present unacceptable risk and/or Category II quantities of SNM, including those quantities that roll- up to Category I, must be protected with a strategy of containment. Should the containment strategy fail, immediate and timely recapture, recovery, and pursuit strategies must be in place. c. Strategies for the physical protection of Categories III and IV quantities of SNM must incorporate the applicable protection requirements established in Chapter II, and; these strategies must be described in the SSSP. d. Strategies for the physical protection of classified matter must incorporate the applicable requirements established in Chapter III of this Manual. The strategy must be based on efforts that will detect or deter unauthorized disclosure, modification, loss of availability, and removal from a site or facility of classified information or sensitive but unclassified information. e. Strategies for the physical protection of any category or quantity of SNM that is considered a radiological/toxicological sabotage targets target must incorporate the applicable requirements established in Chapter IV. Protection strategies must be designed to prevent acts of radiological/toxicological sabotage acts that would pose significant dangers to the health and safety of employees, the public, or the environment. These strategies may be graded to address varying circumstances and may range from denial to containment. f. Strategies for the physical protection of critical infrastructure assets must include the identification of assets and protection. A vulnerability assessment of these assets include must be conducted to identify the threat posed, and the probability of its occurrence. Remedial action plans must be developed to mitigate the effect to critical infrastructure assets by eliminating the vulnerabilities or reducing them to an acceptable level. Existing security interest protection programs must be used where available and must be contained within the minimum of a DOE limited area. g. Strategies for the physical protection of other safeguards and security interests and the protection of DOE property must be developed and implemented in security plans. 3. GRADED PROTECTION. Protection may be applied in a graded manner. a. Layers of Protection. The adequacy of physical security systems is determined by protection strategies designed to ensure that the security interests are protected by ascending layers of protection graded to accommodate the security areas to be protected. b. Graded Protection Requirements. The level of effort and magnitude of resources expended to protect a security interest must be commensurate with the security interest's importance or the effect of its loss, destruction, or misuse. (1) The highest level of protection must be given to security interests whose loss, theft, compromise, sabotage, and/or unauthorized use will have seriously affect national security, and/or impact the health and safety of DOE and contractor employees, the public, and the environment, or the continuity of DOE programs. For example, theft of SNM has severe consequences and therefore requires the highest reasonably attainable level of security. (2) Asset valuation, threat analysis, and vulnerability assessments must be considered, along with the acceptable level of risk and any uncertainties, to determine if the risk is significant and what protection measures should be applied. (3) Protection of other interests must be graded accordingly. Protection -related plans must describe and document the rationale used for selecting the graded protection provided the various safeguards and security interests. 4. PERFORMANCE ASSURANCE. Safeguards and security protection program systems must be tested as required by DOE O 470.1, Chapter III, to ascertain effectiveness in providing countermeasures to address design basis threats. CHAPTER II PROTECTION OF NUCLEAR WEAPONS, SPECIAL NUCLEAR MATERIAL AND VITAL EQUIPMENT 1. GENERAL. This chapter outlines requirements for protecting nuclear weapons and Categories I through IV quantities of SNM. The priority of protection shall be designed to prevent malevolent acts such as theft, and radiological sabotage. a. Protection afforded SNM shall be graded according to the nuclear material safeguards category, as defined in Figure I-2 of DOE M 474.1-1, MANUAL FOR CONTROL AND ACCOUNTABILITY OF NUCLEAR MATERIALS, dated 8-11-99, and must reflect the specific nature of nuclear weapons or SNM existing at each site. (1) DOE O 474.1, CONTROL AND ACCOUNTABILITY OF NUCLEAR MATERIALS, and DOE M 474.1-1, both dated 8/11/99, must be used to determine the potential to accumulate a Category I quantity of SNM by theft from more than one location (roll-up) within the same protected area. (2) Facilities outside a protected area containing Category III and IV Attractiveness l Level B and C SNM must ensure that these areas do not contain a credible roll-up accumulation of Category I or II materials. If a roll- up situation could develop, the materials must be protected at the higher category level. b. A facility may not possess, receive, process, transport, or store nuclear weapons and SNM until that facility has been approved as required by DOE O 470.1. c. Protection of nuclear material production, reactors, and fuel must be consistent with the category of SNM involved and/or the consequences of radiological sabotage. d. An integrated, graded system of positive measures must be developed and implemented to protect Category I SNM, and nuclear weapons and to address physical protection from denial and neutralization, as well as containment recapture/recovery and/or pursuit. e. The following are examples of factors must be considered in determining physical protection for each category of SNM: ease of separability, accessibility, and concealment; quantity, chemical form, isotopic composition, purity, and containment; portability; protection strategies; radioactivity; and self-protecting features. f. SNM that is classified because of its configuration or content, or because it is part of a classified item, must receive the physical protection required by the highest level of classification of the configuration, content, item, or category of SNM involved. g. Specific physical protection requirements, such as systems and protective personnel response capabilities necessary to satisfy identified protection needs, must be documented. 2. ACCESS. Access controls must be in place to ensure that only properly cleared and authorized personnel are permitted unescorted access to SNM. Access authorizations (security clearances) must be granted according to DOE O 472.1B, PERSONNEL SECURITY ACTIVITIES. See Table 1 of this Manual for SNM access authorization requirements. 3. INTRUSION DETECTION SYSTEM. Category I and II quantities of SNM and nuclear weapons must be protected by an integrated physical protection system using response forces and intrusion detection systems (IDS) with tamper-indicating devices. 4. BARRIERS AND DELAY MECHANISMS. Delay mechanisms must be employed to prevent removal or unauthorized use of Category I and II quantities of SNM. Delay mechanisms may include both passive barriers (e.g., walls, ceilings, floors, windows, doors, and security bars) and activated barriers (e.g., sticky foam, pop-up barriers, and cold smoke). 5. PROTECTIVE FORCE POSTS. See DOE 5632.7A, PROTECTIVE FORCE PROGRAM, or DOE O 473.2, PROTECTIVE FORCE PROGRAM, when implemented. Protective force personnel must be available and positioned to respond to a threat so that they can deny, neutralize, contain, and/or interrupt adversaries, or perform recapture/recovery and pursuit missions within the required response times. The response action must be based on the protection strategy specified in the SSSP or site security plan. 6. STORAGE. Each facility must have controls for all categories of nuclear materials held in storage, consistent with the graded safeguards approach required by Chapter XI of this Manual. Controls for storage must: a. be formally documented; b. ensure that only authorized personnel have access to the storage repositories; c. prevent and/or detect unauthorized access; d. describe procedures used to authenticate material movements into or out of a storage location; e. include procedures for investigating and reporting abnormal conditions; f. provide a record system to document ingress/egress to storage; and g. define procedures for conducting inventories and daily administrative checks. 7. CATEGORY I QUANTITIES OF SPECIAL NUCLEAR MATERIAL. The following requirements apply to the storage, use or in process, and the transport of Category I quantities of SNM. a. In-Process. Material must be used or processed within material access areas. Any location within a material access area that contains unattended Category I quantities of SNM in use or process must be equipped with an IDS or other effective means of intrusion detection as approved by the local DOE authority for safeguards and security. Material in use may not be left unattended without being protected according to the open storage protection requirements of this Manual, Chapters III, and XI. b. Storage. Material that is not in use or process must be stored within a material access area as follows. (1) Category I SNM, Attractiveness Level A material must be stored in a vault. Storage facilities for Category I SNM Attractiveness Level A, constructed after 7-14-94 must be constructed underground or below-grade. (2) Category I SNM, Attractiveness Level B material must be stored in a vault or provided enhanced protection that exceeds vault-type room storage [e.g., collocated with protective force response station and/or activated barrier(s)]. (3) Category I SNM, Attractiveness Level C material, must, as a minimum, be stored in a vault-type room. c. In-Transit. The following requirements apply to the protection of material in transit. (1) Domestic off site shipments of Category I quantities of SNM must be made by the Transportation Safeguards System, managed by the DOE Albuquerque Operations Office. (2) Packages or containers containing SNM must be sealed with tamper-indicating devices. (3) To protect against threats, protection measures for movements of material between protected areas at the same site, or between protected areas and staging areas at the same site, must be under direct surveillance by the protective force personnel as established in the "Design Basis Threat for Department of Energy Programs and Facilities (U)," and as documented in the SSSP. Table 1. Access Authorization (Security Clearance) Requirements for Unescorted Access to SNM. Special Nuclear Material Category Type of Access Authorization Required for Unescorted Access Remarks I and II with credible roll-up to I Q Hands-on access or transportation of Category I quantities of SNM may require additional measures, such as Personnel Security Assurance Program participation and/or enhanced material surveillance procedures, to further reduce the probability of insider acts. Document in the SSSP. II and III L Unless special circumstances determined by site vulnerability assessment, require Q access authorization to minimize risk. Document in SSSP. IV None Unless special circumstances determined by site vulnerability assessment, require access authorization to mitigate risk. Document in SSSP. 8. CATEGORY II QUANTITIES OF SPECIAL NUCLEAR MATERIAL. The following requirements apply to storage and use or in process of Category II quantities of SNM. a. In-Process. Material must be used or stored only within a protected area. Any location within a protected area that contains unattended Category II quantities of SNM in use or in process must be equipped with intrusion detection systems IDSs or other effective means of intrusion detection. Material in use may not be left unattended without being protected according to the open storage protection requirements of this Manual, Chapters III, and XI. b. Storage. When not in use or process, material must be stored in a vault or vault-type room located within a protected area. c. In-Transit. Shipments must conform to the shipment requirements for Category I quantities of SNM. (See Paragraph 7c above.) 9. CATEGORY III QUANTITIES OF SPECIAL NUCLEAR MATERIAL. The following requirements apply to storage, use, and transport of Category III quantities of SNM. a. In-Process. Material must be processed within the minimum protection of a limited area. b. Storage. When not in process or when unattended, material must be stored within a limited area and secured within a locked security container or locked room. The container or locked room containing the matter must be under the protection of an IDS or protective patrol as required by Chapter III of this Manual. c. In-Transit. (1) Domestic off site shipments of classified configurations of Category III quantities of SNM may be made by the Transportation Safeguards System. (2) Methods of shipping unclassified configurations. (a) Truck or Train. Truck or train shipments must meet the following requirements. 1 Government-owned or exclusive-use truck, commercial carrier, or rail may be used to ship Category III quantities of SNM. 2 The transport vehicle must be inspected in detail before loading and shipment. Cargo compartments must be locked and sealed while en route. 3 Personnel assigned to escort shipments must periodically communicate with a control station operator who can request appropriate local law enforcement agency response, if needed. 4 Shipments must be made without intermediate stops except for emergency reasons, driver relief, meals, refueling, or transfer of security interests. (b) Air Shipment. Category III quantities of SNM may be shipped by air if not otherwise prohibited by statute or otherwise limited by implementing instructions. Shipments must be under the direct observation of the authorized escorts during all land movements and loading and unloading operations. (3) Movements of Category III quantities of SNM between security areas at the same site must comply with the appropriate locally developed security plan. 10. CATEGORY IV QUANTITIES OF SNM. The following requirements apply to storage and use of Category IV quantities of SNM. a. In-Process. Material must be processed according to locally developed security procedures. b. Storage. When not in process or when unattended, material must be stored according to the procedures approved and implemented in the security plan. c. In-Transit. (1) Domestic off site shipments of classified configurations of Category IV quantities of SNM may be made by the Transportation Safeguards System, under procedures approved by the Albuquerque Operations Office as deemed appropriate, and by agreements between the Manager, Albuquerque Operations Office, and the respective heads of field elements. (2) Shipments of unclassified configurations of material may be made by truck, rail, or water in commercial, for-hire, or leased vehicles. If not otherwise prohibited by state or Federal laws, Category IV quantities of SNM may also be shipped by air. (a) Shipments (except laboratory analysis samples or reference materials) must be arranged with a capability to trace and identify, within 24 hours of request, the precise location where a shipment went astray in the event that it fails to arrive at the destination at the prescribed time. (b) Shippers are required to give the consignee an estimated time of arrival before dispatch, and to follow up with a written confirmation not later than 48 hours after dispatch. (c) Consignees must promptly notify the shipper by telephone and written confirmation upon determination that a shipment has not arrived by the scheduled time. 11. VITAL EQUIPMENT. SSSPs are required to define applicable threats and measures planned to protect vital equipment from hostile actions. CHAPTER III PROTECTION OF CLASSIFIED MATTER 1. GENERAL REQUIREMENTS. a. Classified SNM must be protected in accordance with Chapter II of this Manual if the SNM categories and attractiveness levels dictate more stringent requirements. b. When possible, classified matter shall be processed, handled, or stored in security areas providing control measures equal to or greater than those present in Limited Area. When Top Secret or Secret matter is not processed, handled, and/or stored within Limited Areas or above, it shall be maintained in an accountability system as required in DOE M 471.2-1B, Chapter II. c. All classified matter storage facilities, e.g., GSA approved containers, vaults and vault- type rooms, shall be within facilities, buildings, rooms, structures, etc., and must be afforded the protection measures necessary to prevent unauthorized persons from gaining access to classified matter and materials. d. The physical protection requirements of this Manual must be implemented for all new and existing DOE facilities, buildings, and areas used or to be used to protect DOE security interests. 2. STORAGE REQUIREMENTS. The following physical security storage requirements apply to classified safeguards and security interests. (Items in this chapter may duplicate provisions of DOE M 471.2-1B to provide continuity of protection information. Notify the Office of Safeguards and Security of any conflict in requirements.) a. Restrictions on Use of Secure Storage Repositories. (1) Funds, firearms, medical items, controlled substances, precious metals, or other items susceptible to theft may not be stored in the same secure storage repository used to store classified matter. (2) Secure storage repositories may not bear any external classification or other markings that would indicate the level of classified matter authorized to be stored within the container. For identification purposes, each security container must externally bear a uniquely assigned number. b. Security containers required for the storage of classified matter must conform to General Services Administration (GSA) standards and specifications. Vaults and vault- type rooms required for storage must meet the requirements of Chapter XI of this Manual. Classified matter that is not under the personal control of an authorized person must be stored as prescribed below. NOTE #1: Protective force personnel must examine exposed surfaces of the container, vault, vault-type-room, and steel filing cabinets for evidence of any forced entry and to ensure that the container or door is locked. NOTE #2: The times indicated below may be used when the safeguards and security interest is NOT SNM. If the safeguards and security interest is SNM, response times must be based on the amount of time required to implement the protection strategy (i.e., denial, containment), as specified in Chapters I and II of this Manual. NOTE #3: "Under the protection of intrusion detection alarms" means that the security containers must be protected within the protection envelope of alarm sensors. (1) Top Secret Matter. Top Secret matter must be stored in one of the following ways: NOTE: Top Secret matter not stored in security areas providing control measures equal to or greater than those present in limited areas must be maintained in an accountability system as required in DOE M 471.2-1B. (a) in a locked, GSA-approved security container with one of the following supplemental controls: 1 under intrusion detection alarm protection and protective force response personnel are capable of arriving within 15 minutes of alarm annunciation, 2 protective force personnel perform inspections on a 2-hour basis, or 3 in a security container equipped with a lock meeting Federal Specification FF-L-2740, but only if the container is located in a limited, exclusion, protected, or material access area; (b) in a vault within the minimum of a limited area and approved by the cognizant DOE element. The vault must be equipped with intrusion detection protection and protective force personnel must be capable of responding within 15 minutes of alarm annunciation. The vault shall be located within a limited, exclusion, protected, or material access area; (c) in a vault-type room within the minimum of a limited area and approved by the cognizant DOE element. The vault-type room shall be equipped with intrusion detection protection with protected force response within 15 minutes of alarm annunciation. The vault-type room shall be located within a limited, exclusion, protected, or material access area; (d) In a vault-type room, if located outside a minimum of a Limited, exclusion, protected, or material access area, the vault type room shall be under IDS protection with protective force response arriving within 5 minutes of alarm annunciation. (2) Secret Matter. Secret matter must be stored in a manner authorized for Top Secret matter or in one of the following ways: NOTE: Secret matter not stored in security areas providing control measures equal to or greater than those present in limited areas must be maintained in an accountability system as required in DOE M 471.2-1B. (a) in a locked GSA-approved security container, or vault without supplemental controls; (b) in a vault-type room and approved by the cognizant DOE element; the vault-type room must be equipped with intrusion detection protection and protective force personnel must be capable of responding within 30 minutes of alarm annunciation; the vault-type room must be located within a limited, exclusion, protected, or material access area; (c) in a vault-type room, located outside of a DOE limited or higher security area, and approved by the cognizant DOE element; when located outside of the minimum of a limited area, the vault-type room must be under intrusion detection alarm protection and protective force personnel must be capable of responding within 15 minutes of alarm annunciation; (d) in steel filing cabinets not meeting GSA requirements (such containers purchased and approved for use prior to 7-15-94 may continue to be used until October 1, 2012) that must be equipped with three-position, dial-type, built-in changeable combination locks. The cabinet must be located in a locked area or building within a limited, exclusion, protected, or material access area. In addition, one of the following supplemental controls is required: 1 intrusion detection alarm protection that provides for protective force response within 30 minutes of alarm annunciation when the area is unattended , or 2 the container is inspected every 4 hours by protective force when unattended, or by cleared duty personnel. (3) Confidential Matter. Confidential matter shall be stored in the same manner as prescribed for Top Secret or Secret information except the supplemental controls are not required. c. Nonstandard Methods of Storage. Physical protection storage methods of this chapter apply for Top Secret, Secret, and Confidential matter regardless of size, weight, construction, or other characteristics. When standard protection storage methods cannot be met, a request for alternative, or equivalent storage methods must be submitted for approval to the Office of Primary Interest, SO-21, forwarded through the appropriate field elements and program offices. (1) Measures to be implemented for each nonstandard condition must be documented in the applicable SSSP or security plan after approval by the DOE, Office of Safeguards and Security. (2) minimum measures to be used in place of standard protection requirements must utilize either barriers, intrusion detection, and protective personnel, or a combination of those protective means. (3) For protective force to be employed as a specified supplemental protection measure, due consideration should be given to ensuring the interval for those inspections is less than the time required for an adversary to gain undetected access to the classified matter and/or remove the classified matter and escape detection. d. Protective Force Personnel. Protective personnel, private security firms, or local law enforcement personnel must respond to intrusion detection alarms as specified in Paragraph 2b of this chapter. Specific details regarding this response (e.g., numbers of protective personnel responding, response positions, duties, etc.) must be documented in approved security plans. e. Alternative Storage Locations. (1) With prior written approval of the cognizant DOE element, a bank safe deposit box/vault may be used to store Secret or Confidential matter, provided that the lock and keys to the box/vault are changed prior to such use and the customer's key is furnished only to persons authorized access to the contents. (2) Federal Records Centers, approved as outlined in DOE O 470.1, may be used to store classified information. CHAPTER IV RADIOLOGICAL AND TOXICOLOGICAL SABOTAGE PROTECTION 1.0 GENERAL REQUIREMENTS. The radiological sabotage protection must comply with the physical protection requirements of Chapter II of this Manual if the SNM categories and attractiveness levels dictate more stringent requirements; otherwise, the provisions of this chapter apply. Protection of radiological and toxicological targets must be provided in a graded manner to be consistent with the level of hazards present. The SSSP and security protection strategies shall must address responses to radiological and toxicological sabotage, including mitigation of possible events. These plans must be coordinated and integrated into the site's Emergency Management functions. CHAPTER V SECURITY AREAS 1. GENERAL REQUIREMENTS. DOE security areas are designated in ascending order as property protection areas, limited areas, exclusion areas, protected areas, vital areas, and material access areas. The cognizant DOE safeguards and security authority approves the applicability of security requirements for property protection areas. The following requirements apply to all security areas except property protection areas. a. Access is controlled to limit entry to appropriately cleared and/or authorized individuals. (1) Any person permitted to enter a security area who does not possess an access authorization at the appropriate level and a DOE security badge, must be escorted at all times by a cleared and knowledgeable individual. (2) Local authorities must establish escort-to-visitor ratios in a graded manner for each security areas. b. Entrance/exit inspections of personnel, hand-carried items, packages and mail, and/or vehicles must provide assurance that prohibited articles are not introduced into security areas and that safeguards and security interests are not removed from the area without authorization. (1) Inspections. Entrance/exit inspections at entry control portals, as required, must be made by protective personnel or with detection equipment designed to detect prohibited articles. [See Subparagraph 1b(2) below.] Inspection procedures, requirements, and frequencies must be developed based on a graded approach and included in the appropriate security plan. (2) Prohibited Articles. The Department considers the following articles to be prohibited: all explosives or other dangerous weapons; all alcoholic beverages; all instruments, or material likely to produce substantial injury to persons or damage to persons or property; all controlled substances (e.g., illegal drugs and associated paraphernalia, but not prescription medicine); and any other items prohibited by law (Reference: Title 10 CFR Part 860, and Title 41 CFR Part 101-19.3.). The local cognizant DOE approving authority for safeguards and security may authorize the introduction of those articles when used to conduct official Government business. (3) Controlled Articles. The following articles are not permitted in a limited, exclusion, protected, or material access area without prior authorization, and; prohibition of these articles must also be documented in a local security plan by the cognizant DOE authority for safeguards and security: (a) recording equipment (audio, video, optical, or data); (b) electronic equipment with a data exchange port capable of being connected to automated information system equipment; (c) cellular telephones; (d) radio frequency transmitting equipment; and (e) computers and associated media. c. Concentric Security Area Entry/Exit Inspections. When a security area is contained entirely within a larger security area, additional entry/exit inspections are not required at the inner security area perimeter if inspections conducted at the outer security area boundary are at the same level as required for the inner security area boundary. (1) Entry and exit inspections must be conducted at material access area boundaries regardless of outer boundary inspections. (2) To be designated as a concentric security area, the area must have a separate and distinct barrier(s) and access portal(s) from any other designated security area, (e.g., the boundary for a protected area and the boundary for a material access area cannot employ the same barrier at any location. d. Critical infrastructure assets must be provided the minimum concentric security area protection of a limited area. Based on the concept of graded protection, critical infrastructure assets may be provided the protection of protective personnel, access controls, and intrusion detection alarms and assessment based on the local vulnerability assessment. e. Emergency personnel and vehicles may be authorized immediate entry to security areas in response to an emergency. Conditions and procedures for immediate entry must be documented in the SSSP or security plan. Personnel and vehicles are subject to exit inspections when the emergency is over. f. Signs must be posted to convey information on the Atomic Weapons and Special Nuclear Rewards Act; prohibited articles; the inspection of vehicles, packages, or persons either entering or exiting; notification of video surveillance equipment; and trespassing, if applicable. Signs prohibiting trespassing must be posted around the perimeter and at each entrance to a security area except when unless one security area is located within a larger posted security area. See Chapter XIV for further details. g. Parking areas must be exterior to, and be located at least 15 feet away from, the outer barrier of the DOE security area clear zones that are equivalent to or more restrictive than limited areas. Furthermore, parking areas must be located with a minimum stand- off distance of 50 feet from buildings within a limited area, and 75 feet from buildings located within a protected area, or as determined for the vital area and as documented in the SSSP. (1) Parking areas located near security areas must address possible interference with intrusion detection sensor fields, as well as clear zones, Special Response Team (SRT) activities, and the design basis threat. (2) The explosive threat must be considered in assessments of vehicle parking and drive areas. h. Visitor logs must be used at protected areas, material access areas, and exclusion areas. (1) Requirements and procedures for visitor logs at security areas must be developed and approved by the cognizant local DOE authority for safeguards and security. These procedures must provide for recording information required for DOE F 1240.1, "Foreign Visitors Security Register," and DOE F 5630.6, "Visitors Security Register." (2) Automated access control system logs may be used to record visitor information when implemented in the SSSP/security plans. Information from visitor registers and logs must be retained in accordance with local records management procedures. 2. SECURITY AREA BARRIERS. Permanent physical boundaries must be used to enclose security areas except during construction or transient activities, when temporary barriers can be erected. a. Physical barriers, such as fences, walls, and doors, must be used to identify the boundary of a security area. Barriers must meet the following requirements, as well as the requirements defined in Chapter X of this Manual. (1) Barriers must be used to direct the flow of personnel and vehicles through designated entry control portals. (2) Barriers must be capable of controlling, impeding, or denying access to a security area. (3) Barriers must be used to deter the introduction of prohibited articles or the removal of safeguards and security interests. (4) Barriers must be used to deter and/or prevent penetration by motorized vehicles where vehicular access could significantly enhance the likelihood of a successful malevolent act. (5) Physical barriers may be used to protect critical infrastructure assets, Government property and facilities. (6) Alarms are required for all unattended openings in barriers, gates and/or portals, and culverts and sewers where the unattended openings meet the following criteria: (a) the opening is larger than 96 square inches (619.20 square centimeters) in area and larger than 6 inches (15.24 centimeters) in the smallest dimension; and (b) the opening is located within 18 feet (5.48 meters) of the ground, roof, or ledge of a lower security area; or (c) the opening is located within 14 feet (4.26 meters) diagonally or directly opposite windows, fire escapes, roofs, or other openings in uncontrolled adjacent buildings; or (d) the opening is located within 6 feet (1.83 meters) of other uncontrolled openings in the same barrier. (7) Objects may not be placed next to barriers because they could be used by intruders to scale the barriers and enter the area. b. Penetrations of Security Barriers or Security Areas. Protection features at each barrier penetration must provide the same degree of penetration resistance as the barrier itself. If a penetration cannot be closed off with the same degree of penetration resistance, an IDS must be used. (1) Overhead utilities may not pass between a security area and a lower security area without physical protection features to prevent access. In addition, utility equipment and supports may not be located in clear zones or security areas that are equivalent to or more restrictive than protected areas. Locating equipment and supports in these areas may provide cover or otherwise aid individuals illegally crossing security boundaries. (2) Any elevator that penetrates a security barrier must be provided with access control systems with security equivalent to that of the barrier penetrated. (3) The use of cable trays must be considered for large, multiple-cable applications in both interior and exterior locations. (4) Utility corridors that penetrate security barriers must provide the same degree of penetration resistance as that provided by each barrier they penetrate. This provision applies when the unattended opening within the utility corridor meets the unattended opening requirements of Paragraph 2a(6) above. 3. PROPERTY PROTECTION AREA. A property protection area is a security area established to protect Government-owned property against damage, destruction, or theft and to control public access. Measures taken must be adequate to give reasonable assurance of protection and may include physical barriers, access control systems, protective personnel, IDSs, and locks and keys. a. Access controls may be implemented to protect DOE property and facilities. When access to a property protection area is controlled by an unattended automated access control system, the system must verify the validity of the DOE standard badge. b. DOE personnel and contractors must wear their DOE security badges in plain view while on DOE property, or leased areas, including Property Protection Areas, unless specifically exempted by local DOE Security Office approved procedures. c. Signs prohibiting trespassing, where necessary, must be posted around the perimeter and at each entrance to the property protection area in accordance with Title 10 CFR Part 860, Trespassing on Administration Property, and Title 41 CFR Part 101-19.3, Federal Property Management Regulation. See Chapter XIV. d. Personnel, vehicles, and hand-carried items entering or exiting the property protection area are subject to inspection to deter and/or detect unauthorized introduction of prohibited articles and removal of Government assets. e. Property protection area security measures must be approved by the cognizant DOE safeguards and security approving authority. Property protection area security measures must be developed to protect Government-owned property against damage, destruction, and/or theft. These protective measures must be implemented in the SSSP, or security plan. 4. LIMITED AREA. A limited area is a security area designated for the protection of classified matter and/or Category III or lower quantities of SNM and critical infrastructure assets. a. General Requirements. Limited areas are defined by physical barriers encompassing the designated space, access controls to provide assurance that only authorized personnel are allowed to enter and exit the area, and random entrance/exit inspections, and other means to detect unauthorized access. Limited area access requirements must be administered as follows. (1) Individuals permitted unescorted access have require access authorization and need-to-know consistent with the matter under protection within the area. (2) Individuals without appropriate access authorization or need-to-know must be escorted, and measures must be taken to prevent compromise of classified matter. (3) Access to safeguards and security interests and critical infrastructure assets within a limited area, when not in approved storage, must be controlled by the custodian(s) or authorized user(s). (4) Limited area "islands" not included in an otherwise larger geographic site limited area, (i.e., off-site office space in commercial or Federal buildings) must meet the following requirements. (a) Limited area islands, such as office space accessed by keys or combination locks, that store Secret matter or below, and that otherwise meet the classified matter storage requirements of Chapter III of this Manual, may be subject to access control requirements as approved by the local cognizant DOE safeguards and security approving authority. (b) Access to these limited area islands must be controlled and portals limited. Barriers must be in place to prevent further access to exclusion areas or other higher-level security areas, and to all SNM. (5) Entrance inspections of personnel, vehicles, and hand-carried items must be conducted to deter and detect unauthorized introduction of prohibited and controlled articles. (6) Exit inspections of personnel, vehicles, and hand-carried items must be conducted to deter and detect the unauthorized removal of classified matter and Government property. b. Personnel and Vehicle Access Control. The identity and access authorization of persons allowed access must be validated by protective personnel (e.g., protective force or other appropriately authorized personnel) and/or by automated systems, or other means documented in the security plan. Such validations must occur at the entrances to limited areas. Additional access control requirements are as follows. (1) All non-government vehicles are prohibited from limited areas unless specifically authorized by the local DOE approving authority, and as documented in the SSSP. (2) Government-owned or Government-leased vehicles may be admitted to limited areas only for official business and only when operated by properly cleared and authorized drivers, or when the drivers are escorted by properly cleared and authorized personnel. Local safeguards and security authorities must implement procedures for search and access of service and delivery vehicles on official business; however, escort by properly cleared and authorized personnel is required. Entry of service and delivery vehicles may not enter limited areas more often than necessary to continue efficient operations. (3) Automated access control systems must be used to verify the following: valid DOE standard badge (i.e., validity of the badge is matched between the badge serial number read by the system and matches the serial number assigned to the badge holder), valid access authorization, and valid personal identification number (PIN). Protective personnel, or other means documented in the security plan, may be used to validate the badge and access authorization at automated access control points. 5. EXCLUSION AREA. An exclusion area is a security area where an individual's mere presence results in access to classified matter. An exclusion area must meet the minimum protection requirements for a limited area, and may be designated for protected areas and material access areas. a. General Requirements. The boundaries of an exclusion area must be identified by barriers that encompass the designated space. Exclusion areas also require access controls and entrance/exit inspections to provide reasonable assurance that only authorized personnel are allowed to enter and exit the area. When the exclusion area is designated as a protected area or materials access area, protection provisions must meet the minimum requirements for the security area designated. Exclusion area requirements must be administered as follows. (1) Individuals permitted unescorted access must have access authorizations and need-to-know consistent with the matter to which they would have access by mere virtue of their presence in the area. (2) Individuals without appropriate access authorization and need-to-know, must be escorted, and measures must be taken to prevent compromise of classified matter while the individuals are in the area. (3) An unattended exclusion area must be protected by protective force personnel and by IDSs as required by Chapter III of this Manual. Exclusion areas protecting SNM must provide protection as specified in Chapter II of this Manual. b. Personnel and Vehicle Access Control. Validation by protective personnel and/or automated systems must be used at entrances to validate the identity and access authorization of persons allowed access. All access restrictions for personnel and vehicle access control that apply to limited areas also apply to exclusion areas. 6. PROTECTED AREA. A protected area is a security area used to protect Category II quantities of SNM and/or to provide a concentric security zone surrounding separately defined material access areas. a. General Requirements. A protected area must be: (1) encompassed by physical barriers identifying its boundaries, (2) surrounded by perimeter intrusion detection and assessment systems; and, (3) equipped with access controls to provide assurance that only authorized personnel are allowed to enter and exit the area. b. Protected Area Barriers. Protected area boundaries must be designed to detect/deter an outside attack. The design must also allow for appropriate personnel, vehicle, and materials/packages portals, while deterring or preventing an insider from passing material over the barrier for later retrieval. Proximity to buildings or overhanging structures must be considered in barrier design. (1) The attempted removal of safeguards and security interests by an insider must also be a design consideration for site/facility boundaries. (2) Protected area portal systems must allow for the passage of personnel while detecting the presence of SNM and other prohibited items. While material control and accountability concerns generally relate to insiders removing SNM from the area, physical security concerns at portals must also include procedures and equipment to detect explosives or weapons being brought in by any means. Portal design must include separate package inspection stations so that packages can be inspected separately. The following applies provisions apply to the design of portals. (a) Portal monitors must be installed so that items cannot be passed around the portal without being detected. (b) Portal monitors must be co-located with protective force posts so that adequate response to an alarm is initiated. Protective force stations must be designed with an unobstructed view so that protective force personnel can observe any attempt to bypass systems. c. The following requirements apply to protected area access. (1) Entrance inspections of personnel, vehicles, and hand-carried items must be conducted to deter and detect unauthorized prohibited and controlled articles. (2) Exit inspections of personnel, vehicles, and hand-carried items must be conducted to deter and detect the unauthorized removal of SNM. Specific inspection procedures for SNM and metal detectors shall be established and documented with limitations and thresholds. If the protected area encompasses a material access area, but no Category II or greater quantity of SNM is contained outside the material access area, no SNM exit inspection is required. (a) At all protected-area non-emergency exit points, each vehicle, person, package, and container must be physically or electronically inspected. (b) Exit inspection procedures and detection thresholds for SNM and shielding must be established consistent with the material type, form, quantity, attractiveness level, size, configuration, portability, and credible diversion amounts of SNM contained within the area. (c) Exit inspections must be capable of detecting shielded SNM (e.g., by using a combination of SNM and metal detectors). (d) Procedures must ensure that portals without the means to detect SNM are not used except in emergencies. (3) Exits/entrances must either be alarmed with intrusion detection sensors or controlled at all times. (4) Protected areas must be encompassed by perimeter intrusion detection and assessment systems (PIDASs). The PIDAS must be monitored in continuously manned CASs and SASs. (5) Protective force response time to an intrusion detection must be less than the delay time that can be demonstrated from alarm activation until intruders could complete adverse actions. d. Personnel and Vehicle Access Control. Validation of the identity and access authorization of persons authorized access must be administered by armed protective force personnel and/or by means of an automated access control system. The following access control requirements apply. (1) Private vehicles must be prohibited from a protected area. (2) Government-owned or Government-leased vehicles may be admitted only when on official business and only when operated by properly cleared and authorized drivers, or when drivers are escorted by properly cleared, authorized personnel. Service and delivery vehicles may not enter limited areas more often than necessary to continue efficient operations. (3) Where access to a protected area is controlled by an unattended automated access control system, the system must verify the following: valid DOE standard badge (i.e., the badge serial number read by the system matches the serial number assigned to the badge holder), valid access authorization, and valid PIN. Protective personnel, or other means documented in the security plan, may be used to validate the badge and access authorization at automated access control points. 7. MATERIAL ACCESS AREA. A material access area is a security area used to protect Category I quantities of SNM or Category II quantities of SNM with credible roll-up to a Category I quantity. a. General Requirements. The material access area must have defined boundaries that provide sufficient delay time to impede, control, or deter unauthorized access. (1) A material access area must be located within a separate and distinct protected area. (2) A material access area boundary must deter or detect the unauthorized movement of material through it while allowing access by authorized personnel, access and authorized material movement through authorized portals, and emergency evacuation as necessary. Doors at such transfer locations must be fitted with alarms with the means to communicate with the CAS. (3) Protective force response time to an intrusion detection must be less than the delay time that can be demonstrated from alarm activation until intruders could complete adverse actions. (4) Penetrations in the floor, walls, or ceiling for piping, heating, venting, air conditioning, or other support systems must not create accessible paths that could facilitate the removal of safeguards and security interests. (5) Exits designed for emergency evacuation must be alarmed with intrusion detection sensors or controlled at all times. b. Entry/Exit Inspections. Inspections must provide assurance against the unauthorized introduction of prohibited articles or removal of SNM by force, stealth, or deceit. (1) Entrance inspections of personnel, vehicles, and hand-carried items must be conducted to deter and detect the unauthorized introduction of prohibited articles and controlled substances. (2) Exit inspections of personnel, vehicles, and hand-carried items must be conducted to deter and detect the unauthorized removal of SNM. Specific inspection procedures and SNM/metal detection thresholds and limitations must be established and documented. (a) A separate physical or electronic inspection of each vehicle, person, package, and container must be conducted at all non-emergency exit points for material access areas that contain Category I quantities of SNM (or Category II quantities with credible roll-up to a Category I quantity SNM). (b) Exit inspection procedures and detection thresholds for SNM and shielding must be established consistent with the material type, form, quantity, attractiveness level, size, configuration, portability, and credible diversion amounts of SNM contained within the area. (c) Exit inspections must be capable of detecting shielded SNM (e.g., by using a combination of SNM and metal detectors). (d) Procedures must ensure that portals have the means to detect SNM. c. Personnel and Vehicle Access Control. The identity, access authorization, and authority to enter for persons allowed access must be validated at material access area entrances. Access control must be administered by armed protective force personnel and/or automated access control systems. (1) Private vehicles be are excluded from a material access area. (2) Government-owned or Government-leased vehicles are admitted to material access areas only when on official business. Drivers must have the proper access authorization or be escorted by authorized personnel with the proper access authorization. (3) Exit inspection procedures and detection thresholds for SNM and shielding must be established consistent with the material type, form, quantity, attractiveness level, size, configuration, portability, and credible diversion amounts of SNM contained within the area. (4) Where access to a material access area is controlled by an unattended automated access control system, the system must verify the following: valid DOE standard badge (i.e., the badge serial number read by the system matches the serial number assigned to the badge holder), valid access authorization, valid biometric template. and valid PIN. Protective personnel, or other means documented in the security plan, may be used to validate the badge and access authorization at automated access control points. (5) Although material control and accountability concerns generally relate to insiders removing SNM, physical security concerns at portals include the detection of explosives and weapons being brought in. In addition, equipment/package portals are sometimes designed so that protective personnel can monitor tools and packages separately from personnel. SNM portal monitors must be distanced or otherwise shielded from nuclear materials in the process area. This applies not only to locations of static storage, but also to passageways or conveyer systems that allow the passage of SNM within the facility. 8. VITAL AREA. A vital area is a security area used to protect vital equipment. a. In addition to protection strategies used at a protected area, the following requirements must be met. (1) Area boundaries must conform to the layered protection concept, with a separate vital area perimeter located within a separate and distinct protected area. (2) The perimeter of each vital area must be monitored to deter and detect unauthorized entry attempts. (3) Vital equipment must be protected with an IDS. (4) Exits must be alarmed or controlled at all times. (5) Protective force response time to an intrusion detection must be less than the delay time that can be demonstrated from alarm activation until intruders could complete adverse actions. b. Personnel and Vehicle Access Control. Procedures must be established requiring validation of the identity and access authorization of persons authorized access; validation must be administered by protective personnel or an automated access control system. Access control requirements must be as follows. (1) Private vehicles are prohibited from vital areas. (2) Government-owned or Government-leased vehicles may be admitted only when on official business and only when operated by properly cleared and authorized drivers, or when escorted by properly cleared and authorized personnel. (3) Where access to a vital area is controlled by an automated access control system, the system must verify the following: valid DOE standard badge (i.e., the badge serial number read by the system matches the serial number assigned to the badge holder), valid access authorization, and valid PIN. Protective personnel, or other means documented in the security plan, may be used to validate the badge and access authorization at automated access control points. 9. OTHER DESIGNATED SECURITY AREA REQUIREMENTS. Other areas with restricted access requirements in addition to those limited access to the security area include secure communications centers, sensitive compartmented information facilities, central alarm stations, secondary alarm stations, local law enforcement agency or private alarm stations, and automated information system centers. The requirements for other designated security areas are as follows. a. Alarm Systems. A central alarm system (CAS) and secondary alarm station (SAS) must be used to protect Category I and II quantities of SNM as required by Chapter VI of this Manual. b. Sensitive Compartmented Information Facilities. DOE follows the requirements in Director of Central Intelligence Directive 1/21 for the construction of Sensitive Compartmented Information Facilities. c. Local Law Enforcement Agency or Private Alarm Station. If response by local law enforcement agency/protective personnel to alarm activity is required, the response must meet the specifications for Grade AA as contained in Underwriters Laboratories Standard 611, "Central-Station Burglar-Alarm Systems." d. Secure Communications Centers and Automated Information System Centers. (1) Centers handling classified messages or information must be located, as a minimum, within a limited area. (2) Separate access controls and barriers must be established to restrict admittance to persons employed therein or requiring access to perform their official duties. (3) Access authorizations, consistent with the highest level and category of classified information handled, be are required for all persons assigned to or having any unescorted access to these centers. A list of persons authorized such access must be maintained within the center, and a record of all visitors entering the facility must be maintained. CHAPTER VI ALARM MANAGEMENT AND CONTROL SYSTEM 1. GENERAL REQUIREMENTS. This chapter outlines requirements for integrated security systems protecting Category I and II quantities of SNM, and quantities of SNM that presents a credible roll-up to a Category I quantity of SNM, Top Secret matter, and other high- consequence assets as designated. All alarms used to protect Category I and II quantities of SNM, including roll-up to Category I or II, must annunciate directly to the central and secondary alarm stations in real-time. The protection systems afforded DOE safeguards and security must provide integrated hardware and software working as a whole to provide timely data communications and command and control of security input and output. The integrated protection systems must be operated from one central and one secondary location. a. Alarm stations provide monitoring of alarms and assessment for the Perimeter Intrusion Detection and Assessment System (PIDAS) and must provide a means to monitor alarms and provide assessment and responses to control security incidents. (1) A CAS and SAS must be used to monitor the security, access control, and assessment systems for protecting all Category I and II quantities of SNM, quantities of SNM that present a credible roll-up to a Category I quantity of SNM, Top Secret matter, and other high-consequence assets. (2) Both the CAS and the SAS must be attended constantly by appropriately trained security personnel who possess access authorizations commensurate with the highest level of SNM that is under protection. (3) Both the CAS and the SAS must be capable of providing effective control and response to safeguards and security incidents. (4) The CAS must be located within the minimum of a limited area. (5) Every CAS, including communications and computer areas constructed after the date of this Order, must be protected from compromising emanations. (6) Alarms for protecting Category I and II quantities of SNM, and quantities of SNM that present a credible roll-up to Category I or Category II quantities of SNM, and Top Secret matter must be distinguished at the CAS/SAS from alarms protecting other security interests. Annunciation of these alarms take priority over the alarms for other security interests. (7) Alarm station activities not related to automated access control, protective force communications, and the monitoring and assessment of alarms must be kept to a minimum. (8) General human factors. Security work areas and alarm stations must be ergonomically designed. (a) Equipment, including control panels, work tables and counters, enclosures, seating, storage, special clothing, and any other equipment designed for an operator, must be ergonomically designed to accommodate human body dimensions. (b) Personnel equipment must be designed to accommodate a wide variety of body dimensions. Equipment dimensions must accommodate the fifth to ninety-fifth percentile of the user population. b. Architectural. Safeguards and security CAS and SAS architectural requirements are as follows. (1) Exterior walls must be windowless, and roofs must be without skylights and roof windows. CASs that require windows for visual surveillance of areas outside the station must be fitted with bullet-resistant glass [Underwriters Laboratories (UL)-752, High Powered Rifle]. (2) Personnel entryways must be fitted with substantially constructed doors, equipped with locks operable from within the centers. (3) Structural openings must be kept to a minimum. (4) Central and secondary alarm stations must be designed with substantial walls, ceilings, and floors to for protect security personnel and communications equipment to a minimum of UL-752 standards for High Powered Rifle protection. Structural integrity must be sufficient to protect against unauthorized personnel intrusion. (5) CASs must have access control systems and barriers to restrict admittance to persons who are employed therein or who require access to perform official duties on a need-to-know basis. (6) CASs (and protective force communications center) must be equipped with radio and telephone channels for communication with local law enforcement agencies. (a) An alternative communications capability from an SAS must be provided for use if the primary station is compromised. (b) Radio communications equipment must remain operable if primary electric power is lost. (7) When vulnerability analyses show significantly elevated risk to Category I quantities of SNM due to Chemical Biological Warefare attack on a CAS(s), a means must be employed to protect the CAS operators. These protective measures may incorporate building filtration systems, personal protective devices, or incapacitating agent detectors. Where building filtration systems are employed, heating, ventilation, and air conditioning systems must be designed with air filtration features to protect against infiltration of aerosol and gas incapacitating agents. 2. CENTRAL AND SECONDARY ALARM STATION OPERATIONS. CASs and SASs must be designed to include all computers, file servers, CCTV switcher systems, alarm data communications, protective force communications, and auxiliary power equipment necessary for continuous operation of the system. Such equipment must be located within the station or within contiguous areas having the same degree of physical security and access control. a. The site's CAS must (1) be the primary point of intrusion detection alarm annunciation, assessment, and system monitoring, (2) provide the primary monitoring and alarm annunciation point for automated access control systems associated with protection of Category I and II quantities of SNM, (3) provide for the primary protective force communications point for alarm assessment and responses, (4) provide the primary central monitoring point for CCTV when CCTV is used for assessment, (5) provide the termination point of alarm data collection and communication, and (6) provide for maintenance and storage of spare units of line supervisory and alarm equipment within the station. b. CAS/SAS alarms must (1) annunciate directly in the CAS/SAS in real-time and annunciate in both the CAS/SAS simultaneously. (2) annunciate both audibly and visually in both the CAS and the SAS, (3) be acknowledged by straightforward and easily performed actions, (4) address alarm priorities for the reporting and acknowledgment of a multiple alarm scenario to ensure system credibility/reliability is not diminished, (5) have status indicators provided in the alarm station(s) to reveal system status changes, (6) indicate on the alarm station status indications, including the loss of primary power, which must not degrade the system, and (7) have a method to call the alarm station operators' attention to the CCTV monitor displaying an alarm point activation, when the alarm control monitoring system is integrated with a CCTV assessment system as primary assessment. c. The CAS must meet the construction requirements of a hardened post; and, the CAS must be located as a minimum within a limited area. (1) Exterior walls, windows, roofs/floors, and doors must be constructed of reinforced concrete or be reinforced with materials that result in a bullet- penetration resistance equivalent to the "high-powered rifle rating" given in UL- 752. (2) The CAS must provide adequate human engineering so that protective personnel occupying the posts can perform their duties efficiently. (3) The CAS must provide occupants with adequate protection from weather and temperature variations. d. The CAS must be designated an exclusion area. Access controls must be used to restrict admittance to only those persons who require access to perform official duties. e. Secondary Alarm Stations. The SAS is an alternative alarm annunciation point that will initiate a response if the CAS cannot perform its intended function. Secondary alarm stations need not duplicate the CAS, but must meet the operational requirements of the CAS with the exception of construction and located within a limited area. 3. IDS MONITORING FUNCTIONAL REQUIREMENTS. The following general provisions are required for an integrated PIDAS designed to protect Category I and II quantities of SNM, quantities of SNM that present a credible roll-up to Category I and II, Top Secret matter, and other high-consequence assets. a. The protection system must (1) have a timely capability for display and assessment of intrusion that accurately displays the correct functional state of every subsystem; (2) annunciate system status changes in the alarm station(s), including system component failure, loss of primary power, and radio frequency (RF) systems alarms; (3) ensure that all intrusion detection, system status, tamper, and line supervision alarms annunciate, directly and simultaneously in both the CAS and the SAS when protecting Category I and II quantities of SNM, quantities of SNM that present a credible roll-up to Category I or II, and Top Secret matter, or other high-consequence assets. b. Alarm functions must be prioritized so that those functions requiring immediate response (e.g., alarms protecting Category I and II quantities of SNM) have the highest priority. Background functions may not interfere with monitoring personnel's ability to initiate the appropriate responses. c. Records must be kept on each actual and/or false/nuisance alarm. (1) The alarm record must be reviewed, analysis performed, and corrective measures taken as applicable to ensure system effectiveness and minimize nuisance and false alarms. (2) The minimum record requirements are date and time of alarm, cause of the alarm or probable cause if definite cause cannot be established, and the name of the recorder or the operator on duty. (3) For systems installed after the date of this Manual, records must also include type of alarm [e.g., actual (with identifying data), false, nuisance, or tamper]; location of alarm; time of assessment; and name of assessor. d. The alarm record must be reviewed, analysis performed, and corrective measures taken as applicable to ensure system effectiveness and minimize nuisance and false alarms. e. Data communication systems must include the communication among all devices and computers within protection systems operations, including communications between the sensors, alarm groups, and field processors. (1) Systems installed after 9-14-94 used in the protection of Category I and II, and roll-up to Category I or II quantities of SNM must employ redundant, independently routed, or separate communication paths to avoid a single-point failure to the CAS and SAS. Redundant routed communications paths to the SAS must not be routed through the CAS. (2) Data communications must comply with the following communications links. (a) Separate data and control communication paths must be established between field processors and primary and secondary host computers. (b) Redundant data and control communications must be established between primary host computer and secondary host computers. A fail- over system must be used to ensure that the loss or degradation of one host computer will not cause the loss of the second. (c) Redundant pathways must begin at a point on the data communication links to the field processors and be conveyed and reported independently to both the CAS and the SAS. (Note: Links must be routed so that the CAS does not control the communication links to the SAS or vice versa. A separate data communication link to the CAS, and another to the SAS does not satisfy this requirement because both must have redundancy.) (d) If the communication path is in a "loop" configuration, it must feature reverse polling to meet the redundant pathway requirement. f. The system must be configured so that authorized personnel may make adjustments on the site's physical protection system configurations, such as placement of sensors, alarm groups, cameras, and access control devices. (1) Parameters and capabilities identified as configurable must be configurable only by authorized individuals at the site, as designated in writing. (2) The system must provide a way to identify authorized personnel; the system must also provide the capability to enforce the requirement that two persons or more concur on site configuration changes. (3) The system must allow authorized individuals to create, query, modify, and delete system configuration items. This process cannot interfere with console operations. 4. CLOSED CIRCUIT TELEVISION ASSESSMENT SYSTEMS. CAS/SAS-integrated security systems must be interfaced to a video subsystem to provide CCTV assessment and surveillance capability. a. A fixed-lens CCTV system must be used when cameras are the principal means of alarm assessment. Movable pan-tilt-or-zoom lens cameras may be used for surveillance and as back-up to fixed primary assessment cameras. b. The intrusion detection alarms used for primary assessment must be integrated with a CCTV automated switching system with real-time features to have the capability to call the CAS/SAS operators' attention to a CCTV alarm-associated video recorder/monitor. c. The CCTV picture quality must allow the operator to recognize and discriminate between human and animal presence in the camera field-of-view. d. The video subsystem must as a minimum support two monitors to display live video and two monitors to display recorded video. e. The system must have the capability to automatically switch to the camera associated with the alarm event and to display that event in the CAS for assessment by the operators. f. Video recorders must be actuated by intrusion alarm signals and must operate automatically. (1) The response must be rapid enough to record an actual intrusion. (2) The system must be capable of capturing video information related to an incident 50 milliseconds before the alarm sounds to indicate that an incident has begun. (3) The system must override manual switching commands of non-incident video to display video associated with an incident (if there is not at least one monitor reserved for incident video only). (4) Operators must be able to manually override the automatic features and manually operate a CCTV camera associated with another event out of the priority order. g. When CCTV is used as the principal means for assessing alarms and determining response level, CCTV cameras must have tamper-protection and/or feature loss-of-video alarm annunciation. (1) A loss-of-video alarm is a feature built into the CCTV camera and annunciates when the picture is lost. Loss-of-video implies that the picture has degraded to the point that the operators cannot identify objects within the camera's field of view. (2) CCTV cameras not protected by installation inside the perimeter intrusion detection and assessment system sensors must feature both tamper-protection and loss-of-video alarms. h. When CCTV is used as the primary assessment of the perimeter intrusion detection system, the coverage must be complete, with no gaps between zones and no areas that cannot be assessed because of shadows or objects blocking the camera fields. When such conditions are temporary, compensatory measures are required. i. Adequate lighting must be maintained on the PIDAS sensor zones and the isolation zone for CCTV assessment and surveillance 24 hours a day. When such conditions are not met, compensatory measures are required. j. Two consoles, one in the CAS and one in the SAS, are required to ensure that all camera control, and video recording can be performed at either console. The CCTV subsystem must be co-located with the CAS/SAS computers and servers. The system must be able to lock out those control functions from inoperable consoles. 5. NORMAL AND BACKUP POWER SUPPLIES. Normal on-site power must be provided for all physical protection systems equipment. Backup and emergency power supplies must be provided according to the requirements of this Manual, Chapter VII, and VIII. 6. OTHER REQUIREMENTS. Access to other areas designated as security areas by local procedures must be controlled and protected. a. Operating and equipment areas that contain relays, switches, electronic devices, and other dust-sensitive equipment must be designed to be relatively dust-free. To minimize dirt and dust, these areas must be windowless and without skylights or roof windows. All exterior doors must be weatherstripped. Access must be through vestibules, foyers, corridors, or other buffer areas. b Operating areas must be located and constructed to minimize outside noise interference and treated acoustically to maintain a low internal sound level commensurate with operating requirements. c. Shielded conduit and enclosures must avoid internal building support columns, which would degrade the efficiency of the enclosure. d. Flexible, shielded, conduit connections for communications cables serving security areas with hardened centers, vaults, vault-type rooms, etc., must incorporate sufficient slack to withstand potential displacement without impairing the installation or requiring the replacement of cables. Designers must provide floor inserts to secure the equipment to the floor through shock mounts designed to withstand anticipated blast effects. Ceiling inserts must be provided to brace equipment racks and cabinets and to support overhead cable racks or trays. e. Where radio communications or control equipment requires one or more exposed antennae having no significant blast resistance, the design must allow the antennae to be replaced from inside the shelter. Normally retracted "pop-up" antennae, operable from inside the hardened area, must be provided. f. Information on lightning protection is available in Military Handbook-419. For additional information, refer to Federal Information Processing Standard (FIPS) PUB 94. g. All electrically grounded towers must be electrically protected in conformance with National Fire Protection Agency (NFPA) 78. Ground conductors must be without intervening splices and protected against mechanical damage. If ground conductors must be enclosed within a tower foundation, separate ground conductors must be brought to at least two legs of the tower and extended to the air terminal. The emergence point at which ground conductors emerge from the foundation must be sealed against moisture. Ground conductors must also be protected against mechanical damage. Where guy supports are used, ground rods must be installed at each anchor and connected to all guys terminating at that location. A ground counterpoise system must be used only when required to meet the needs of the communications system or as necessary to ensure effective grounding. CHAPTER VII PROTECTION OF SECURITY SYSTEMS ELEMENTS 1. GENERAL PROTECTION REQUIREMENTS. Security-related equipment must be protected from unauthorized access in a graded manner consistent with the security interest under protection. a. System components used to protect Category I and II, and credible roll-up to Category I and II quantities of SNM, vital equipment, and Top Secret and Secret classified matter must be protected with tamper-indication in both the access and the secure modes. b. Tamper indication is required for intrusion detection/alarm devices, wiring between detection/alarm devices and data gathering panels, RF alarm transmission links, and transmission lines from data gathering panels to annunciators and/or alarm stations. c. Exposed data communications-related wiring (both interior and exterior) for intrusion detection devices and systems used to protect Category I and II quantities of SNM must be protected by rigid conduit (e.g., flexible rigid conduit may be used). d. System components used to protect Government property and security interests other than those itemized above must be protected, consistent with a cost/benefit analysis determined by each facility. e. Sites/facilities must protect the location of a CAS as follows. (1) CASs and SASs must be protected according to the requirements in Chapters VI and VII of this Manual. (2) Commercial CASs must be UL Class AA installations. 2. PROTECTION OF AUTOMATED INFORMATION SYSTEMS. Sites/facilities must protect automated information systems as follows. a. All elements of an automated information system, including remote terminals, printouts, output devices, storage media, and memory, must be afforded physical security protection commensurate with the most highly classified security interest processed by the system. b. An automated information system facility must be located in a security area to provide adequate protection. The physical protection must be commensurate with the most highly classified security interest handled by the system. The area or facility must be securely locked and alarmed when unattended by authorized personnel. c. The computer systems security officer must prescribe methods for limiting access to locations with automated information system remote terminals to authorized users. 3. PROTECTING AUTOMATED INFORMATION CENTERS AND REMOTE INTEGRATION POINTS. Automated information systems centers and remote interrogation points that process classified information must consider the following. a. A "control zone" is defined as (1) the inspectable space above, below, and around equipment and distribution systems that (2) is under sufficient physical and technical control to preclude interception of compromising emanations. The phrase "sufficient physical and technical control" means the degree of control necessary to ensure that the protective force responsible for protecting a controlled space has the authority and ability to investigate and remove any person or device of a suspicious nature that is detected. b. When contained within a larger limited area, automated information systems centers and remote interrogation points used to process classified information must have separate access controls and barriers. These access controls and barriers restrict access to classified information to only those persons with the need-to-know who require the information to perform their official duties. 4. PROTECTION OF RADIO CONTROL CENTERS. Critical and essential safeguards and security radio control centers must be protected at a minimum as a vital area. a The space and utility requirements of radio control centers must comply with DOE O 200.1, INFORMATION MANAGEMENT PROGRAM, dated 9-30-96. b. The following architectural requirements apply. (1) Centers essential to security functions must be without windows, skylights, and roof windows. (2) Barrier penetrations must conform to the 96-square-inch rule. 5. PROTECTION OF RADIO REPEATER STATIONS. Radio repeater stations must be protected and documented in the security plans. a. A radio repeater station must be placed in a location to ensure all-weather access for vehicles and personnel to the station building, antennae, standby generator plant, and fuel storage tank. b. The station must be designed to minimize risk of damage to the antenna structure and supporting guy lines from vehicular traffic and to provide for future expansion. 6. PROTECTION REQUIREMENTS FOR DESIGNATED SECURITY AREAS. Security requirements for DOE Sensitive Compartmented Information Facilities, Special Access Programs, or Top Secret areas where classified information is discussed, processed, stored, or produced are established by the cognizant program security office for that specific program. 7. PROTECTION OF PROTECTIVE FORCE POSTS. The nature of the threat determines the location and manning of fixed and mobile posts. a. When practicable, a protective force post must be situated to provide the best available, unobstructed view of the surrounding terrain. Planning for response times must address the delay provided by physical barriers after the intrusion is first detected. b. Protective force posts for controlling access to areas containing weapons, nuclear test devices, complete nuclear assemblies, or Category I or II roll-up quantities of SNM must meet the following requirements. (1) All routine and emergency fixed posts must be located to enhance the efficiency of routine duties and to ensure that likely routes of adversary ingress and egress are clearly observable. (2) Protective force posts must be constructed to the requirements for a hardened post contained in DOE 5632.7A. (3) Storage of weapons, ammunition, and explosives must comply with the requirements of DOE 5632.7A, Chapter VI, Paragraph 1b(2). c. In protective force towers intended to serve as fighting positions, consideration must be given to providing protected firing ports with hardened exterior walls and a minimum of 60 square feet of net floor area per person. 8. PROTECTION OF INTRUSION DETECTION SYSTEMS. The requirements for physically protecting IDS components are listed below. a. Panels. (1) The alarm control panel or data gathering panel must be protected by a detection device specifically intended for the protection of an enclosure. Otherwise, these data gathering panels must be located within the area of greatest protection; that is, inside the area being protected. (2) When these components are not installed in the area of greatest protection, the installation wiring from a control panel or data gathering panel to the alarm detection devices is to be physically protected from access or be alarmed to indicate attempted access. b. Enclosures and Junction Boxes. Electronic enclosures and junction boxes must be secured against unauthorized access and equipped with tamper alarms; otherwise, they must resist tampering (e.g., by means of seals, alarms, one-way screws, and/or by providing an indication of tampering). c. Line Supervision. Line supervision is required for IDSs protecting safeguards and security interests. For property, line supervision may be provided consistent with a cost/benefit analysis determined by each facility. Where data encryption is used, key changes must be made at 1-year intervals or whenever compromise is suspected. The requirements for line supervision are listed below. (1) Classes of Line Supervision. Performance-based definitions are listed below in descending order of protection. (a) Classes A through C apply to transmission of data bytes. In general, Classes A through C apply to alarm communication links between data gathering panels, between data gathering panels and central alarm computers or alarm annunciator panels, and between computers. 1 For Class A, as a minimum, the data transmission must comply with DOE O 200.1. 2 For Class B, as a minimum, the data transmission must be treated in one of the following ways: a encrypted using a proprietary encryption scheme, which results in non-repetitive communications; b pseudo random polling scheme; c nonencrypted data transmitted over fiber-optic cable enclosed in conduit; d nonencrypted data transmitted over fiber-optic cable monitored by an optical supervision system. 3 For Class C, unencrypted data transmission examples include the following: a RS-232, RS-485, etc., data transmissions standards; b standard repetitive polling schemes; and c exception reporting with repetitive polling for health checks. (b) Classes D through F apply to transmission of information through changes in the analog signal. In general, Classes D through F apply to alarm communication links between a sensor and a data gathering panel. 1 Class D supervision combines various frequencies of ac, pulsed dc, or a combination of AC and DC. 2 Class E supervision is an AC signal. 3 Class F supervision is a DC signal. (2) Line Supervision Options. Different combinations of line supervision are allowed depending on link routing. Different examples of an alarm communication link remaining within the security area, going through a lower security area, are required for the two primary segments of alarm data transmission: from sensor to data-gathering panel and from data-gathering panel to data-gathering panel or central processing unit. d. Alarm Annunciation and Response. Line supervision alarms for data-gathering panel to data-gathering panel or data-gathering panel to central processor (Classes A through C) are to be annunciated in both the CAS and the SAS, indicating the type of alarm (data error, loss of communication, tamper, etc.) and the affected equipment. (1) Sensor to data-gathering panel (Classes C through F) line supervision alarms are to be annunciated in both the CAS and the SAS, indicating the sensor or sensors affected. Multiple tamper switches associated with the same protection system component device (e.g., data gathering panel, junction box, or alarm point) may be wired (daisy chained) together as a single tamper alarm to the monitoring station. (2) Protective force personnel must be put on alert and system maintenance personnel notified when line supervision alarms indicate a loss of only one communications path of a redundant system. (3) Line supervision alarm, tamper alarm, or RF alarm events [e.g., "statement of health" (SOH) alarm, sensor alarm, tamper alarm, and RF jamming indications] must be treated the same as an intrusion alarm for the area being protected. Therefore, the protective force must respond along with maintenance personnel. (4) On annunciation of a tamper or line supervision alarm, the alarm condition must be assessed by maintenance personnel and the CAS/SAS personnel. (a) Tamper/line supervision alarms must be tested through the range of required operation to verify effectiveness, including the testing of the capabilities of the alarm system components being protected by the tamper alarm (i.e., balanced magnetic switch, microwave, passive infrared ). (b) Compensatory measures must be implemented to protect the alarmed location until the required testing and repairs, if applicable, are completed. (c) To negate the possibility of signal substitution, alarms must be tested through physical actuation rather than by a computer-generated, remote-test feature. TABLE 2. ALARM SYSTEM PROTECTION REQUIREMENTS TABLE 2. ALARM SYSTEM PROTECTION REQUIREMENTS (continued) CHAPTER VIII PROTECTION ELEMENT: INTRUSION DETECTION AND ASSESSMENT SYSTEMS 1. GENERAL REQUIREMENTS. The PIDAS must be installed to provide reasonable assurance that breaches of security boundaries are detected and that alarms annunciate at a CAS. The following requirements apply to intrusion detection and assessment systems. a. Real-time intrusion detection and assessments are required. b. Intrusion detection and assessment systems must effectively address all normal environmental conditions common to that area under all common types of lighting conditions. c. An effective method must be established for assessing all IDS alarms (e.g., intrusion, false, nuisance, system failure, and tamper) and radio when RF is used for to protect Category I SNM). (1) IDS alarms must be assessed in a timely fashion by either the protective force or by means of an electronic system like CCTV. (2) CCTV assessment systems used as primary assessment for perimeter intrusion detection alarms must be fixed in place (i.e., not pan, tilt, or zoom). (3) Protective force personnel used in place of or to supplement IDS alarms must conduct their patrols at random intervals, at a documented frequency. d. Response capability to IDS alarms must be provided to protect DOE safeguards and security interests. Response times must be appropriate for the protection strategy employed at the site, or as required in Chapter III of this Manual. The response capability may be provided by assigned protective personnel or by the local law enforcement agency for property protection sites. e. The PIDAS must employ multiple detection layers for protecting Category I and II, and roll-up to Category I or II quantities of SNM. Complementary sensor selection is required when multiple types of sensors are deployed. f. Intrusion detection systems must be designed, installed, operated, and maintained to ensure that the number of false and nuisance alarms does not reduce system effectiveness. (1) While maintaining proper detection sensitivity, each interior intrusion detection sensor must have a combined false alarm/nuisance alarm rate of less than 1 alarm per 2,400 hours of operation. (2) While maintaining proper detection sensitivity, each exterior intrusion detection sensor must have a combined false alarm/nuisance alarm rate of less than 1 alarm per 24 hours of operation. (3) If the alarms can be assessed at all times, either visually or by CCTV, a higher false alarm rate and nuisance alarm rate may be tolerated if such alarms do not degrade the system. This information must be documented. Even though higher rates are tolerated, the fact that an alarm occurred must be documented for analysis and trends purposes. g. Intrusion detection systems and their associated components, such as sensors, multiplexers, power supply cabinets, processors, junction boxes, and alarm access panels that service protected areas, material access areas, or vital areas, must detect tampering (e.g., by means of seals, alarms, one-way screws, and/or some other means). h. Intrusion detection systems must be monitored continuously by personnel assigned to assess alarms and intrusion activities. Monitoring personnel must initiate the appropriate responses. Primary monitoring and assessment of intrusion detection alarms must be accomplished by CAS/SAS personnel. i. Compensatory measures must be provided when the IDS is not in operation or is not operating effectively, or at temporary locations where a permanent IDS is not practical or cost-effective. j. Alarm monitoring systems must annunciate system status changes in the CAS/SAS, including system component failure and loss of primary power. k. The system must have a means of providing the location of the alarm to the system operator, response force, and/or maintenance personnel. l. For the protection of Category I and II, and roll-up to Category I or II quantities of SNM, all intrusion detection, system status, tamper alarms, and line supervision alarms must be annunciated in both the CAS and the SAS. m. Systems and system components protecting classified information must meet the requirements in Chapter III of this Manual. n. Systems and system components protecting Category I and II, and roll-up to Category I or II quantities of SNM must be operably, functionally, and performance-tested at a documented frequency in accordance with procedures established in DOE 470.1, Chapter III. The testing program for all other security interests must be developed and implemented in security planning documents. 2. INTERIOR INTRUSION DETECTION SYSTEM REQUIREMENTS. IDSs must be designed for economy of use, with redundant data communications paths for protecting Category I and II quantities of SNM. All IDSs must be provided a redundant, independent power source. a. The probability of detection for each safeguards and security physical protection system must be established and documented. b. The interior IDS must be capable of detecting attempts to bypass (i.e., any method for going around or over the detection zone of any sensor that is set with a finite detection zone) or spoof (any technique that allows a target to pass through the sensor's normal detection zone without generating an alarm) the IDS. Alarm systems must be designed, installed, and maintained to deter adversaries from circumventing the detection system. (1) The IDS must be tested when it is installed and at least annually thereafter to validate its detection probability and confidence level. (2) If operational testing or effectiveness testing indicates degradation of the IDS or any portion thereof, that portion of the IDS must be revalidated. c. Interior intrusion detection alarms used as compensatory measures for unattended openings in security barriers, portals, utility ducts, or other openings meeting the unattended openings requirements of Chapter V, Paragraph 2a(6), must be operational when the opening is not attended. d. Vaults and vault-type room intrusion alarms must meet the requirements of Chapter XI, Paragraph 2. Intrusion alarms must annunciate when vault openings are accessed. e. Interior alarms providing "envelope" protection inside material access areas, vaults, and vault-type rooms must overlap sufficiently to eliminate unattended openings and areas where intruders would not be detected. f. Balanced magnetic switches, when used, must initiate an alarm upon attempted substitution of an external magnetic field when the switch is in the normally secured position and whenever the leading edge of the door is moved 1 inch (2.5 centimeters) from the door jam. g. Volumetric detectors must detect an individual moving at a rate of 1 foot per second, or faster, within the total field-of-view of the sensor and its plane of detection. h. Systems must be functionally tested in accordance with established procedures at a documented frequency. i. Interior alarm systems protecting classified matter within security areas designated as limited areas or higher must provide the level of protection required by Chapter III of this Manual. 3. EXTERIOR INTRUSION DETECTION SYSTEM REQUIREMENTS. Exterior IDSs must be documented in the SSSP or security plan. Requirements for protected areas, material access areas, and vital areas are as follows. a. The perimeter PIDAS must be capable of detecting an individual (weighing 35 kilograms or more) crossing the detection zone walking, crawling, jumping, running, or rolling (at speeds between 0.15 and 5 meters per second), or climbing the fence, if applicable, at any point in the detection zone with a detection probability of 90 percent, and at a 95 percent confidence level. (1) The IDS must be tested when it is installed and at least annually thereafter to validate that it meets detection probability and confidence level requirements. (2) Any time the system falls below probability of detection, the system must be repaired and revalidated. (3) When calculating detection probability for multiple sensor systems, detection is assumed if any of the sensors detect the intrusion. b. Intrusion detection systems must cover the entire perimeter without a gap in detection, including the sides and tops of buildings situated in the detection area. c. For all openings in exterior barriers, unattended gates and/or portals, and culverts and sewers, intrusion detection capabilities must be at least as effective as the rest of the IDS and must meet the unattended openings requirements of Chapter V, Paragraph 2a(6). d. Intrusion detection systems must overlap sufficiently to eliminate areas of detection gaps or no detection. The length of each detection zone must be consistent with the characteristics of the sensors used in that zone. e. Perimeter IDSs must be (1) designed, installed, and maintained to deter adversaries with the means to circumvent the detection system; (2) provided with an isolation zone at least 20 feet (6 meters) wide and clear of fabricated or natural objects that would interfere with detection systems or the effectiveness of the assessment; (3) free of wires, piping, poles, and similar objects that could be used to assist an intruder traversing the isolation zone or that could assist in the undetected ingress or egress of an adversary or matter. Exceptions to this requirement must be protected by the detection and assessment system or constructed in a manner that deters their use as a means of entering or leaving the area. f. The detection zone of each IDS must be kept free of snow, ice, grass, weeds, debris, and any other item that degrades IDS effectiveness. When this action cannot be accomplished in a timely manner, and detection capabilities become degraded, compensatory measures must be taken to provide timely detection. g. Exterior IDSs require the following. (1) Exterior IDSs must be designed to avoid unnecessary duplication of facilities. Auxiliary power supply facilities, exterior power supply pole lines, and underground power supply duct bank systems must be used jointly for the installation unless joint facility use degrades system performance. Joint use must not expose the security system to damage or unauthorized access. Power wiring and signal wiring may not share the same conduit. (2) Exterior IDSs must provide supervisory and line-tamper circuits commensurate with the requirements in this Manual. h. Intrusion detection systems protecting classified matter within security areas designated as limited areas or higher must provide the level of protection required by Chapter III of this Manual. i. The PIDASs designed for property protection must provide reasonable probability that intruders will be detected as documented in the security plan. 4. ANNUNCIATION AT THE ALARM STATIONS. The following requirements apply to IDS alarm annunciation at the CAS and the SAS. a. Facilities that use commercial alarm station monitoring services to protect Category I and II, and roll-up to Category I or II quantities of SNM and Top Secret matter must connect the sensors by direct, continuously supervised, leased line, or other means that will distinguish DOE facility alarms from all alarms for other customers that are monitored by the service. b. CCTV systems integrated with the alarm station must employ a method to call the alarm station operators' attention to the CCTV monitor when it displays an alarm point activation. 5. RADIO FREQUENCY ALARM COMMUNICATIONS. The RF communications link that replaces the direct hardwired communications link between the sensor and the CAS display panels must maintain a high level of security. a. RF alarm communications systems used to protect Category I SNM are limited to emergencies and temporary situations. (The requirements of this paragraph do not apply to mobile and SNM presence alarm monitoring systems.) b. Emergency and temporary use of RF alarm communications may not exceed 7 days per application and no more than 21 days in a calendar year. c. RF alarm communications systems, as a minimum, must meet all of the following requirements. (1) The RF alarm communications system must be used only as a redundant or alternate path; being hardwired is the primary method. Using two RF frequencies to protect Category I - one as the primary and the other as the secondary path - does not satisfy the DOE requirement for redundant communications paths. Compensatory measures will be required. An exposed, supervised, hardwired system used along with RF may be adequate as a redundant communication path for temporary applications. (2) The systems must provide redundant, self-checking alarm communication paths that annunciate system failure in the alarm stations. Alarm messages that are not acknowledged because of a blocked transmission path must be latched and communicated later through a status or SOH message. (3) The SOH interval must allow for an assessment and response. (4) RF alarm communication systems must be capable of automatically changing the SOH and alarm messages so the messages are not always the same. (5) The system must be capable of detecting and annunciating intentional and unintentional RF jamming. (6) The system must provide unique status change messages for alarm, tamper, and power conditions. (7) The system must provide random or operator-initiated polling features to ensure communication link integrity. (8) Digital Encryption Standard (DES) encryption or other Government-approved encryption techniques must be used for SOH and alarm messages. (9) The enclosure must have tamper-resistant or tamper-alarmed transmitters in both the access and the secure modes. (10) The system must have battery back-up capabilities. (11) The system may not produce spurious signals that interfere with other security systems components. (12) The system must provide a unique electronic address code for each sensor and line supervision from sensor to transmitter. (13) The system must provide a means of interfacing to the alarm annunciation system (i.e., the CAS). (14) Compensatory measures must activate immediately if all or part of the system is being jammed, or if communications are otherwise lost or destroyed. (15) The system must provide communications in all weather conditions and provide immediate compensatory measures if communications are lost or degraded for more than 10 seconds. No alarm data may be lost during the period of lost or degraded communications. (16) The system must address multiple alarm scenario procedures to ensure system credibility is maintained (i.e., that it is not diminished). d. In addition to the above requirements, the site must implement the following procedures to ensure that the system (1) operates in Government frequency bands; (2) is installed and maintained by using the "two-person" rule; (3) is not changed on a network (e.g., from secure mode to access mode); and (4) is functionally tested in accordance with established performance assurance procedures at a documented frequency (DOE O 470.1, Chapter III). e. A vulnerability assessment must be conducted on the site system before it is installed to determine system risk to being "spoofed," "bypassed," or "jammed." 6. LIGHTING REQUIREMENTS. Lighting systems must be adequate to protect the safeguards and security interest. a. Protection system lighting must meet the following criteria: (1) Illumination must be adequate to detect adversaries, to reveal unauthorized persons, and at pedestrian and vehicular entrances, to allow examination of identification and vehicles. (2) Illumination must be adequate to protect classified matter. (3) Maximum use must be made of high-efficiency, high-intensity discharge (HID) lamps, such as metal halide or high-pressure sodium vapor lamps. HID lamps are highly efficient and economical in operation, and their use in protective lighting systems is encouraged. (4) Where lamps require a relight period following a power interruption, and continuous lighting is required, a standby lighting system is required to ensure minimum protective lighting continues during lamp startup and re-strike periods. Accordingly, fixtures next to each other must, when practical and appropriate, be placed on different circuits so that only part of the lighting is extinguished if one circuit becomes inoperative. (5) Facilities requiring protective lighting must have an auxiliary lighting capability of the type and size commensurate with the importance of the facility, the reliability of regular power sources, and the feasibility of using portable lighting equipment. (6) Other than at entry portals, lighting must not illuminate patrol paths or protective force personnel manning fixed posts; that is, lighting used to deter adversaries must illuminate outward from the fixed post. b. Interior lighting requirements for safeguards and security applications include the following: (1) Interior lighting systems must follow the Illuminating Engineering Society (IES) Lighting Handbook. Nonuniform lighting practices must comply with 41 CFR 101-20.116-2. (2) Lighting fixture types, location, and illumination levels must be coordinated with the equipment and functions of telecommunication, alarm, and automated data processing centers to provide the required illumination without (a) interfering with prompt identification of self-illuminated indicating devices, (b) creating reflecting glares that might detract from adequate observation of essential equipment, or (c) creating electrical or electromagnetic interference detrimental to proper operation of equipment. c. Exterior lighting systems must follow the IES Lighting Handbook. System control must use time clocks and/or photocells to provide illumination only when needed. Lighting systems for the protection of Category I and II quantities of SNM and quantities of SNM that roll up to Category I amounts, radiological sabotage targets, and Top Secret matter must have a primary and auxiliary power source. d. Protective lighting for Category I and II quantities of SNM and roll-up to Category I quantities must provide 24-hour visual assessment. (1) Lights must provide a minimum 2 foot-candle illumination at ground level for at least a 30-foot (9.14-meter) diameter around protective personnel posts and around exterior perimeter intrusion detection and assessments system isolation zones, and 0.2 foot-candle illumination for 150 feet (45.72 meters) in all directions. (2) Where protective lighting at remote locations is not feasible, protective personnel patrols and/or fixed posts must be equipped with night vision devices. Night vision devices must not be used routinely in lieu of protective lighting at entrances and exits but may be used if lighting is lost. (3) Light glare must be kept to a minimum if it hampers protective personnel. (4) Light sources on protected perimeters must be located so that illumination is directed outward wherever possible. (5) CCTV assessment must be supported with adequate lighting for the CCTV system employed. e. Protective lighting for other applications must be as specified in local security plans. 7. ELECTRICAL POWER REQUIREMENTS. All IDSs for protecting Category I and II, and roll-up to Category I or II quantities of SNM, radiological sabotage targets, and Top Secret matter must have a primary and auxiliary power source. a. Primary Power Supply. Power sources must contain a switching capability to facilitate operational testing to determine adequate auxiliary power sources. The following power supply requirements apply to safeguards and security. (1) Alarm and Communication Systems. Normal primary power must come directly from the on-site power distribution system or, for isolated facilities, directly from the public utility. Where several primary power sources are available, the most reliable source must be used. (2) Telecommunications, Alarm, and Automated Information Systems Facilities and Radio Repeater Stations. Essential equipment must be connected to an uninterruptible power supply (UPS) or to auxiliary power. Where continuity of service is required for critical cord-connected equipment, twist-lock-type connectors must be used. (3) Radio Control Centers. Power supply requirements must be determined assuming that all transmitters are keyed simultaneously while associated receivers and other equipment and building services are in operation. (4) Power Supply Lines. Circuits must be arranged so that faults, failures, or maintenance on less-critical circuits does not jeopardize critical loads. Protective devices must be used and coordinated for sequential operation from the load to the source. Line location must be established in accordance with clearance requirements stated in American National Standards Institute (ANSI) Standard ANSI-C2 and must be routed within established rights-of-way for each facility. Minimum rights-of-way must extend 5 feet beyond outside conductors. b. Auxiliary Power Sources. Auxiliary power sources must be used with intrusion detection and assessment, automated access control, and CCTV systems used to protect Category I and II, and roll-up to Category I or II quantities of SNM and Top Secret matter. Auxiliary power for systems used to protect other assets must be as approved in applicable security plans. The period of time necessary to implement contingency plans must be documented. (1) Transfer to auxiliary power must be automatic upon failure of the primary source and not affect operation of the protection system, subcomponents, or devices. (2) The CAS and SAS must receive an alarm indicating failure of the protection system primary power and transfer to the auxiliary power source. (3) Rechargeable batteries, when used, must be kept fully charged, or they must be subject to automatic recharging whenever the voltage drops to a level specified by the battery manufacturer. Non-rechargeable batteries must be replaced whenever their voltage drops 20 percent below the rated voltage or manufacturer's recommendations. An alarm signal must be activated at the CAS and SAS to indicate this condition. (4) Auxiliary power sources must have the capability to facilitate operational testing and routine maintenance. c. Standby and Auxiliary Systems. Standby and auxiliary systems must serve loads set forth in NFPA 110. (1) UPS must be provided for equipment that cannot sustain functions through the momentary power loss that occurs when an alternate power source comes on line and picks up the load. (2) Auxiliary power must be provided for protective alarm and communications systems as dictated by the system requirements. Auxiliary power must activate automatically if the primary power source fails; the switch to auxiliary power must be indicated at the CAS/SAS. The annunciator must be located in an occupied area and must indicate any problems with the auxiliary system. (3) Auxiliary or standby power must service security alarm and supervisory sensing devices that have been designated essential. (4) Auxiliary power systems must be capable of maintaining full operation of auxiliary loads for the full time specified (nominally, a minimum of 8 hours). Such power sources must have the necessary built-in features to facilitate operational testing on a periodic basis to verify their readiness. (5) Batteries, when required, must be rechargeable and must be kept fully charged when primary power is available. The charger must automatically switch from float to fast-charge rates at a preset drop in DC bus voltage. The charger must be capable of charging the battery from a fully discharged state to not less than 85 percent of the rated ampere-hour capacity within 24 hours. d. Uninterruptible Power Systems. A UPS must be provided for those loads requiring guaranteed continuous power. CHAPTER IX PROTECTION ELEMENT: ACCESS CONTROL AND ENTRY/EXIT INSPECTIONS 1. GENERAL REQUIREMENTS. The cognizant DOE security office must approve local procedures that implement requirements for access control and entry/exit inspections. The following requirements apply to all security areas. a. Access to a security area, as a minimum, requires verification of a valid access authorization and a valid DOE badge as required by Chapter XV of this Manual. b. Access control requirements must be layered in a graded manner at succeeding boundaries as appropriate for the situation. c. For standardization, the following approved procedures are required for personnel vouching and piggybacking. (1) Consistent with Paragraph (2) below, DOE and contractor personnel with the appropriate access authorization may vouch for or allow another person with the required access authorization level to enter a security area. (2) Each person entering a protected area or a materials access area containing Category I and/or II quantities of SNM must meet all requirements pertaining to access, need-to-know, and submit to entry inspections. Escorted personnel are allowed access to protected areas and material access areas when properly authorized, screened, and under supervision of an assigned escort at all times. (3) Personnel vouching for or permitting piggybacking of another into a security area must inspect the DOE security badge to ensure that it bears a likeness of the individual, and that he/she has the proper access authorization. (4) Time and safety permitting, all personnel within a vehicle are required to produce a valid DOE security badge when accessing a security area. Documentation of exceptions for personnel in vehicles not producing DOE security badges must be described in procedures. (5) Only escort personnel may vouch for or piggyback uncleared persons or persons with a lower access authorization into a security area that requires a higher access authorization and ensure risk mitigation. d. Means must be provided to deter unauthorized intrusion into security areas. Such means include the use of intrusion detection sensors and alarm systems, as specified in Chapter VIII of this Manual, and barriers, random patrols, and/or visual observation. The protection program must include suitable means to assess alarms. e. Automated access control systems may be used if the following requirements are met. (1) Automated access controls, when used for access to any security area, must, as a minimum, verify that the access authorization and the DOE standard badge are valid (i.e., that the badge serial number read by the system matches the serial number assigned to the badge holder). Badges must be validated by means of a PIN or other approved means (e.g., by protective personnel, by personnel-monitored automated access control portals, or by another method/system implemented in SSSP/security plan). (2) Remote, unattended automated access control system portals used to access protection-in-depth security areas do not require a second validation of the badge if (a) protective personnel validate the badge at the concentric security area envelope portals when the individual initially enters the area or (b) use of a PIN supplements presentation of the valid badge at the security area portal. (3) When remote, unattended automated access control system portals are used for access to security areas, the barrier penetration resistance of the unattended access control system portal must be equal to the surrounding building structure. The access control barrier must provide balanced resistance to bypass. (4) Automated access control system intrusion alarms (e.g., annunciation of a door alarm, duress alarm, tamper alarm, or anti-passback indication feature) must be treated in the same manner as an intrusion alarm for the area being protected. (a) Both the CAS and the SAS must be used to monitor and annunciate the automated access control system's intrusion alarm events used to protect Category I and Category II, and roll-up to Category I or II quantities of SNM. (b) Electronic portal search equipment (e.g., metal detectors) may annunciate locally to an individual capable of responding instead of annunciating at the CAS. 2. ACCESS CONTROL SYSTEMS PORTALS. a. Access control systems and entry/exit inspection portals must provide positive control that allows the movement of authorized personnel, vehicles, packages, and material along normal routes while detecting and delaying movement of unauthorized personnel and contraband. b. Portal designs must consider the following. (1) Exits from security areas must be adequate to satisfy the life safety requirements of NFPA 101. Some exits may be provided for emergency use only. (2) Entrances to and exits from security areas must be equipped with doors, gates, rails, or other movable barriers that direct and control the movement of personnel or vehicles through designated portals. (3) Door locks and latches used on security area perimeters must be adequate to satisfy the requirements of NFPA 101. (4) Motorized gate controls, where used, must be located within or immediately adjacent to protective personnel posts at access points. Motorized gates must be designed to facilitate manual operation. (5) Access control points must facilitate ingress and egress of emergency vehicles and fire protection equipment. (6) The number of access control points for each security area must be limited to one or more portals to maintain the barrier integrity. c. The following functions must be performed at access control points or portals. (1) A barrier to personnel entering security areas must be provided until entry is requested and authorized. (2) Portals directly protecting SNM must permit entry of only one person per request unless material surveillance procedures are required. (3) Access must be controlled whenever a request is made to go from a lower security area into another security area with increased protection requirements. (4) Entry and exit inspections must be conducted at access control points or portals to deter introduction of prohibited and controlled articles and unauthorized removal of the safeguards and security interest. 3. AUTOMATED ACCESS CONTROL SYSTEMS. Automated access control systems may be used in place of or in conjunction with protective personnel to meet access requirements. a. Equipment. Automated access control equipment, where used, must meet the following requirements. (1) A DOE security badge must be used to access electronically stored information relevant to the badge and badge holder. (2) The probability of an unauthorized individual gaining access through normal operation of the equipment must be documented. (3) The probability of an authorized individual being rejected for access through normal operation of the equipment must be documented. (4) The access authorization list must be updated when an individual's access authorization has changed or when the individual is transferred or reassigned. (5) Unattended badge readers at protected areas and material access areas must be equipped with anti-passback protection. b. Personnel Augmentation of Automated Access Control Systems. Automated access control systems may be used in place of or in conjunction with protective personnel to control access into security areas. If security areas require additional screening (e.g., at a protect ed area or material access area boundary), and when the PIN or biometric system is either not working or not implemented, protective personnel be utilized as documented in the SSSP. (1) The number of protective force personnel must be sufficient to augment inspections for contraband, with the automated access system determining final access. (2) Portals using automated access or badge reader systems for access control must ensure that the barrier portal provides the same level of protection as the portal controls. Size of the opening must not exceed the standards established by this Manual. c. Protection. Automated access control systems and associated equipment used to protect Category I and/or II quantities of SNM, vital equipment, and/or classified matter must be protected in the following manner. (1) Surveillance by authorized personnel and the use of structural safeguards or other protective devices is required to protect PINS, card reader access transactions, displays (e.g., badge-encoded data), and the processes of imputing, storing, displaying, or recording verification data. (2) Keypad devices that do not have scrambled-number keypads must be equipped with shielding or be installed so that an unauthorized person in the immediate vicinity cannot observe the selection of keys. (3) The system must record attempted unsuccessful, unauthorized access. (4) Automated access control systems are used to read data entered by the person requesting access; if the data is successfully compared to existing data, the portal is electrically unlocked. Where required, such systems must provide assurance that the material surveillance procedure has been met prior to allowing access. (5) Door locks opened by badge readers must be designed to relock immediately after the door has closed. (6) Transmission lines that carry access authorization and personal identification or verification data between devices/equipment must be protected to deter the introduction of data that would permit unauthorized access. (7) Access to records and information concerning access authorization and personal identification or verification data is restricted to individuals cleared at the same level as the information contained within the specific area or areas where identification data or PINs are used. Access to identification or authorization data, operating system software, or any identifying data associated with the access control system is limited to the least number of people possible consistent with operational requirements. (8) Records reflecting active assignments of badges, PINs, levels of access, security clearances, and similar system-related records must be maintained. Records concerning personnel removed from the system must be retained for 1 year unless a longer period is specified by other requirements. (9) Badge reader boxes, control lines, and junction boxes must be supervised, tamper-alarmed, or equipped with tamper-resistant devices. Data gathering panels, or multiplexers, and other similar equipment must be tamper-alarmed or otherwise secured. (10) Auxiliary power must be provided at installations where continuous service is required. 4. ENTRY/EXIT INSPECTIONS. The following safeguards and security requirements apply to entry and exit inspections. The inspection process must be documented in the SSSP or security plans and validated. a. Inspection Equipment. Metal detectors, SNM monitors, explosives detectors, and X- ray machines, as described below, must be used in lieu of or to supplement protective personnel conducting inspections for prohibited articles and Government property (e.g., SNM). (1) Inspection Elements. (a) Passage of individuals, vehicles, and/or packages through security area portal equipment must be observed and controlled by protective personnel. Hand-held and/or portable detectors, SNM monitors, etc., should be available to resolve alarms and as compensatory measures for power failures. (b) Auxiliary power should be provided to all portal inspection equipment. (c) Bypass routes around inspection equipment must be closed or monitored to deter unauthorized passage of personnel and hand-carried articles. (2) Measures must be taken to preclude the unauthorized changing of control settings on all portal inspection equipment. (3) Alarms must annunciate audibly and visually to attending protective force personnel. b. Exit Inspection Procedures. Where required, personnel, vehicles, and hand-carried items, including packages, briefcases, purses, and lunch pails, are subject to exit inspections to deter and detect unauthorized removal of safeguards and security interests from security areas. Collocated SNM monitors and metal detectors must be used to inspect personnel for SNM. Personnel may be inspected visually for classified matter or other safeguards and security interests. (1) Metal Detectors. Metal detectors are an acceptable means of inspecting for metallic SNM shielding. When credible theft scenarios do not require the detection of an object (such as lead), and when requirements are properly documented, detection limits suitable to specific situations must be established. (2) SNM Monitors. SNM monitors may be used to inspect for concealed SNM. c. Compensatory Measures. Compensatory measures must be available at each location in the event of portal search/inspection equipment failure. d. Inspection Procedures. Personnel, mail, vehicles, and packages must be inspected prior to or at entrances of security areas to prevent the introduction of concealed prohibited articles. (1) Explosives Detection. Explosive detection programs must provide assurance that explosives are not introduced without authorization. (a) Portal explosive detection systems must be used at the entrances to protected areas and material access areas to supplement the inspection process performed by protective personnel. (b) The detection capability must be based on the one-time introduction of the threat quantity. (c) The extent and frequency of detection activities must be determined by the cognizant local DOE authority for safeguards and security. Random detection may be performed at the property protection area and limited area boundaries. (d) Procedures for countering the introduction of explosives into a site/facility must address the introduction of explosives by all type vehicles. (2) Portal Metal Detection. Metal detectors used in the inspection process must provide assurance that weapons are not introduced without authorization. (a) Portal metal detectors used for protected area entry applications must, at a minimum, detect test weapons listed in Paragraphs 4d(2)(c), 1 and 2 below in all locations throughout the detection field. (b) Portal metal detectors used for material access area entry applications must, at a minimum, detect test weapons listed in Paragraphs 4d(2)(c), 1, 2, and 3 below in all locations throughout the detection field. (c) The following must be used as standard test weapons: 1 steel and aluminum alloy 0.25-caliber automatic pistol, manufactured in Italy by Armi Tanfoglio Giuseppe, sold in the United States by Excam as Model GT27B and by F.I.E. as the Titan (weight: approximately 343 grams); 2 Aluminum Model 7, 0.380-caliber Derringer, manufactured by American Derringer Corporation (weight: approximately 200 grams); 3 stainless steel 0.22-caliber long rifle mini-revolver; manufactured by North American Arms (weight: approximately 129 grams). (3) X Ray. X-ray machines used in the inspection process must be capable of detecting bulk and hand-carried prohibited articles entering protected areas and material access areas. (a) X-ray machines are used to reinforce and supplement both the explosive and metal detectors above. (b) X-ray machines must be capable of imaging a 26-gauge wire at Step 5 of an American Society for Testing and Materials (ASTM) step wedge. (Reference: American Society of Testing Materials Standard 792-88, Standard Practice for Design and Use of Ionizing Radiation Equipment for the Detection of Items Prohibited in Controlled Access Areas.) (4) SNM Monitors. (a) SNM monitors must meet detection requirements established in DOE M 474.1-1, and the physical protection requirements of DOE M 473.1-1. (b) False alarm rates may not exceed an average of one per 8-hour period. CHAPTER X PROTECTION ELEMENT: BARRIERS AND LOCKS 1. GENERAL REQUIREMENTS: BARRIERS. Physical barriers, such as fences, walls, doors, or activated barriers, must be used to deter and delay unauthorized access to security areas. a. Physical barriers must serve as the physical demarcation of the security area. (1) Barriers must be used to facilitate effective and economical use of protective personnel and to direct the flow of personnel and vehicular traffic through designated portals in a manner to permit efficient operation of access and entry control inspections. (2) Portals must provide a barrier resistance to bypass, and they must extend from the true ceiling to the floor and from barrier wall to barrier wall. (3) Permanent barriers must be used to enclose security areas, except during construction or transient activities, when temporary barriers may be erected. Temporary barriers may be of any height and material that effectively impedes access to the area. (4) Fences used for perimeter barriers must be installed not less than 20 feet (6 meters) from the building or material under protection. If the distances specified cannot be accommodated because of property lines, building locations, health and safety, or other site-specific considerations, and unacceptable risk is created, supplementary protective measures must be provided. The design criteria for fences and barriers are included in this chapter. (5) Barriers must provide adequate strength for protection with respect to the safeguards and security interests being protected. (6) Unattended openings in barriers must be protected as required in Chapter V, Paragraph 2a(6) (7) Wire mesh used to enhance penetration resistance must be 2 square inches or smaller mesh of No. 11 American Wire Gauge or heavier steel wire or expanded metal. (8) Sound attenuation for those areas designated for classified discussions must be incorporated in accordance with the Technical Surveillance Countermeasures Procedural Manual. b. Access delay times provided by the barrier used as a security area boundary must be documented. (1) Breaching tools used against the barrier must be documented. (2) Access delay times must be used in vital areas. 2. FENCING. When used for deterrence purposes, fencing must meet the following minimum construction requirements. a. Temporary Security Fencing. During construction or transient activities, temporary security fencing must be installed to (1) exclude unauthorized vehicular and pedestrian traffic from the construction site; (2) restrict authorized vehicular traffic to designated access roads; (3) protect construction materials and installed work from sabotage and curiosity seekers; (4) protect construction sites against vandalism or theft; (5) provide construction site integrity and a clear zone to suit site-specific conditions; and (6) provide consistency with site-specific security and protection goals and operational requirements. b. Permanent Security Fencing. When used for protection purposes, fencing must meet the following construction requirements. (1) Alternative barriers may be used instead of fencing if the penetration resistance of the barrier is equal to or greater than standard fencing. (2) Fencing must be limited to that required for safety, physical security, and activity control. Fencing must be grounded around substations, fuel storage areas, and other areas where static electricity or electrical discharge could create a hazard. (3) Areas under security fencing subject to water flow, such as bridges, culverts, ditches, and swales, must be blocked with wire or steel bars that adequately provide for the passage of floodwater but also provide a penetration delay equal to that of the security fence. (4) Depressions where water flow is not a problem must be covered by additional fencing suspended from the lower rail of the main fencing. Weed control may justify paving the area beneath fences. c. Security Fence Design Considerations. Safeguards and security fences must be designed to address the following considerations. (1) Fencing must extend to within 2 inches (5 centimeters) of firm ground, or below the surface if the soil is unstable or subject to erosion. Surfaces must be stabilized in areas where loose sand, shifting soils, or surface waters may cause erosion, thereby assisting an intruder in penetrating the area. Where surface stabilization is impossible or impractical, concrete curbs, sills, or similar types of anchoring devices extending below ground level must be provided. (2) Unattended openings, as described in Chapter V2a(6), must be protected. (3) Fencing Materials and Specifications. The following requirements apply to fencing materials. (a) Galvanized steel chain link fabric, consisting of a minimum of 11-gauge with mesh openings not larger than 2 inches, must be used at security areas. This fencing must be topped by three or more strands of barbed wire on single or double outriggers. Double outriggers may be topped with coiled barbed wire (or with barbed tape coil). When single barbed wire outriggers are used, they must be angled outward, away from the security area. (b) Overall fence height, excluding barbed wire or barbed tape coil topping, must be a minimum of 7 feet (2.13 meters). (c) Wood fencing may be used to comply with nonmagnetic requirements and to obstruct the view into limited personnel access areas. (d) Woven wire fencing should be limited to railway and highway rights-of- way. (e) Barbed wire fencing may be used for boundaries of open, undeveloped area. (4) Fence lines must be kept clear of vegetation, trash, equipment, and other objects that could impede observation or facilitate bridging. (5) Gate hardware for security fencing must be installed in a manner to mitigate tampering and/or removal (e.g., by brazing, peening, or welding). (6) Security fences are not required around property protection areas, unless documented in the SSSP or security plan. (7) Alternative barriers may be used in lieu of fencing if the penetration resistance of the barrier is equal to or greater than the standard fencing described in 2b above. (8) Where appropriate, the following design criteria must be shown on the facility drawings: (a) materials (e.g., fence fabric, posts, concrete, fence anchor sills or bottom rails, tension wires, barbed wire, and outriggers); (b) grading (e.g., horizontal alignment, vertical alignment, clearance from obstructions, utility crossings, and surface and subsurface drainage); (c) soil stabilization (i.e., �3-inch maximum variation in planar surface for microwave or active infrared); (d) permanent vegetation control [i.e., herbicide along the base of fence and within a clear zone 20 feet (6 meters) to each side of a fence or permanent pavement beneath a microwave or active infrared beam line]; (e) electrical grounding; (f) closures (e.g., gate sizes, types, clearances, hardware, motor operators, control systems, and direction of swing); (g) barrier heights including buildings located on the barrier to impede unauthorized access to security areas. (9) A clear zone must be provided along each side of security fence perimeters to facilitate intrusion detection and assessment. Double fences should be separated by a clear zone of at least 20 feet (6 meters). If this minimum distance is not possible, supplementary protective measures must be considered (e.g., greater fence height or other protective measures). (10) Vehicle barriers (i.e., wire-rope-type) must be considered for outside the inner fence where the secured perimeter bounds heavy vehicular traffic areas. (11) Posts, bracing, and other structural members must be located on the inside of secured perimeters. Where the galvanized finish has been removed or damaged during installation, the posts, bracing, and other structural members must be coated with zinc-enriched paint. (12) Electrical grounding must be provided for all permanent security fencing in accordance with the National Engineering Code. 3. PERIMETER ROADS AND WALKWAYS. All-weather patrol roads or walkways must be provided along the inside of the perimeter security fence surrounding security areas if the security fence is to be patrolled by protective force personnel. Turnouts must be considered for use at frequent intervals if roadway shoulders are not available for vehicle parking. 4. PERIMETER BARRIER GATES AND ENTRY CONTROL POINTS. The number of entry control points (ECPs) must be limited to establish and maintain security integrity. a. Points of vehicle and pedestrian access to security areas must provide the same level of protection as that provided at all other points along the security perimeter. b. ECPs must be designed to provide positive security control over vehicular and pedestrian traffic entering the secured area. ECPs must be structurally hardened, as necessary, to meet site-specific criteria. c. ECP designs must facilitate ingress and egress of emergency vehicles, such as fire protection equipment. d. Where feasible, the ECP must be placed within the protective barriers so that the ECP can be closed during low-traffic periods and the PIDAS enabled. This configuration must provide a continuous PIDAS zone at the barrier that encompasses the ECP. e. Motorized gates must be considered for primary access points. Where practicable, motorized gate controls must be located within protective force stations at each access point. Motorized gates must be designed to facilitate manual operation during power outages. f. Electrical continuity must be provided across all gate openings. Operating mechanisms for motorized gates must be grounded. g. The number of ECPs within each security boundary must be minimized. ECP design features must comply with NFPA 101. h. Primary and auxiliary alarm and communication systems must be provided between ECPs and the response force communications center. i A UPS must be considered for loads that, if interrupted, would degrade the security of the associated area. 5. WALLS. Walls serving as security area boundaries must meet the following requirements. a. Building materials must offer penetration resistance to, and evidence of, unauthorized entry into the area. Construction must meet local building codes. b. When transparent glazing material is used, visual access to the classified material must be prevented by the use of drapes, blinds, or other means. c. Insert-type panels (if used) must be such that they cannot be removed from outside the area being protected without showing visual evidence of tampering. d. Walls that constitute exterior barriers of security areas must extend from the floor to the structural ceiling, unless equivalent means are used. 6. CEILINGS AND FLOORS. Ceilings and floors must be constructed of building materials that offer penetration resistance to, and evidence of, unauthorized entry into the area. Construction must meet local building codes. 7. DOORS. Doors and doorjambs must provide the necessary barrier delay rating required by the security plan. As a minimum, requirements must include the following. a. Doors with transparent glazing material may be used if visual access is not a security concern; however, they must offer penetration resistance to and evidence of unauthorized entry into the area. (1) Doors that serve as the primary physical security barriers must provide penetration resistance equal to that of the adjoining walls, ceilings, and floors. (2) If visual access is not a factor, doors with glass panels may be used; however, glass door panels must comply with Paragraph 8b below, or be equipped with wire mesh fastened securely to the door, preferably on the inside. b. Where more than one door is required for a security area, single doors or double doors with a removable mullion between them must be used. c. Doors that serve exclusively as emergency and evacuation exits from security areas must- (1) not be accessible from outside the security area, (2) comply with NFPA 101, (3) not open into spaces of greater security, and (4) comply to DOE security requirements. d. Offices or rooms where Secret or Top Secret information is discussed on a recurring or routine basis must be secured and the discussions conducted according to the provisions of the DOE Technical Surveillance Countermeasures procedures. e. A sight baffle must be used if visual access is a factor. f. An astragal must be used where doors used in pairs meet. g. Door louvers, baffle plates, or astragals, when used, must be reinforced and immovable from outside the area being protected. 8. WINDOWS. The following design requirements must be applied to security windows. a. Frames must be securely anchored in the walls, and windows must be locked from the inside. (1) Windows may be installed in fixed (i.e., unopenable) frames so that the panes cannot be removed from outside the area being protected. (2) Where double or triple glazing is required, insulating glass units, not multiple glazing, must be used. (3) Windows and curtain walls must be designed for wind loads in accordance with the Uniform Building Code. (4) Windows used as the primary physical security barriers must (a) provide penetration resistance equal to the adjoining walls, ceilings, and floors; (b) be constructed of shatter-resistant, laminated glass panes of 9/32-inch minimum thickness or other material providing an equal degree of resistance. b. Visual barriers must be used if visual access is a factor. 9. UNATTENDED OPENINGS. a. Physical protection features must be implemented at all locations where storm sewers, drainage swells, and site utilities intersect the fence perimeter. b. Unattended openings in security barriers that meet the following criteria must be protected or compensatory measures applied: (1) the opening is larger than 96 square inches (619.20 square centimeters) in area and larger than 6 inches (15.24 centimeters) in the smallest dimension; and (2) the opening is located within 18 feet (5.48 meters) of the ground, roof, or ledge of a lower security area; or (3) the opening is located within 14 feet (4.26 meters) diagonally or directly opposite windows, fire escapes, roofs, or other openings in uncontrolled adjacent buildings; or (4) the opening is located within 6 feet (1.83 meters) of other uncontrolled openings in the same barrier. 10. ACTIVATED DISPENSABLE BARRIERS, DETERRENTS, AND OBSCURANTS. Activated dispensable barriers, deterrents, and obscurants, if used, must meet the following requirements. a. Obscurants must consider spatial density versus time. b. Other dispensable materials must be prudently implemented and individually evaluated for effectiveness of delay. c. Controls and dispensers must be protected from tampering and must not be collocated. 11. VEHICLE BARRIERS. Vehicle barriers must be used to preclude, deter, and where necessary prevent penetration into security areas when such access cannot otherwise be controlled. a. Above-grade vehicle barriers must be considered to preclude intruder concealment. b. Speed reducers must be considered for use at ECPs to slow approaching adversary vehicles to within vehicle barrier design limits if needed to achieve site-specific threat/target system response requirements consistent with the operational and protection goals of the facility. 12. HARDWARE. Screws, nuts, bolts, hasps, clamps, bars, wire mesh, hinges, and hinge pins must be fastened securely to preclude removal and to ensure visual evidence of tampering. Hardware accessible from outside the area must be peened, brazed, or spot-welded to preclude removal or otherwise secured by tamper-resistant hardware (e.g., nonremovable hinge pins). 13. GENERAL REQUIREMENTS: LOCKS. The requirements for security locks must be applied in a graded fashion. a. General. Consideration must be given to the safeguards and security interest being protected, the identified threat, existing barriers, delay time provided by the lock, and other protection measures afforded when determining which requirements to follow. b. Key Locksets. Key locksets must meet ANSI Standard A156.2, American National Standards for Bored and Preassembled Locks and Latches. c. Positive Locking Devices. Access doors to security posts must be provided with positive locking devices to prevent unauthorized entry. d. Lock Hardware. (1) Lock bars must be 1-1/4 inch (31.75 millimeters) by 3/16 inch (4.76 millimeters) or equivalent in cross section and constructed of material hardened to Rockwell C59 to C63 standards, including rivets. (2) Hasps and yokes on repositories containing classified matter must be constructed of material hardened to Rockwell C59 to C63 standards; be at least 1/4 inch (6.35 millimeters) in diameter or equivalent cross section; and be secured to the repository by welding or riveting. (3) Panic hardware or emergency exit mechanisms used on emergency doors located in security areas must be operable only from inside the perimeter and must meet all applicable Life Safety Codes. (4) Federal standard FED-STD-809 must be used for the neutralization and repair of GSA-approved security containers. e. Key Management. Security keys must be protected at the level approved by the security plan. An inventory and accountability system must be implemented. CHAPTER XI PROTECTION ELEMENT: SECURE STORAGE 1. GENERAL REQUIREMENTS. Classified safeguards and security interests must be protected as specified in Chapter III of this manual. Vaults, vault-type rooms, or security containers providing secure storage must meet the following requirements: a. Secure storage must be under the protection of intrusion detection alarms with a security force response and patrol capability as follows. (1) A vault must be under intrusion detection alarm protection with protective force response within 15 minutes of alarm annunciation. (2) A vault-type-room located within a limited, exclusion, protected, or material access area must be under intrusion detection alarm protection with protective force response within 15 minutes of alarm annunciation. (3) A vault located outside DOE security areas must be under intrusion detection alarm protection with protective force response within 5 minutes of alarm annunciation. b. Vaults must be fire-resistant, windowless, penetration-resistant enclosures with intrusion detection alarms on the doors. c. SNM vaults built after 7-15-74 for the Protection of Category I quantities of SNM, Attractiveness Level A, must be underground or below-grade construction. d. Locks must meet Federal Specification FF-L-2740. The existing three-position changeable combination locks on GSA-approved Class 5 security containers may continue to be used until replaced, or until October 1, 2012. All security containers placed into service after the date of this Manual must have a lock that meets Federal Specification FF-L-2740. e. Open storage of Secret and Confidential classified matter is allowed in a vault-type room and a vault-type room complex. Open storage of Top Secret material is allowed in a vault. (1) For open storage, perimeter walls, floors, and ceiling must be permanently constructed, attached to each other, and constructed to provide visual evidence of unauthorized penetration. (2) Doors for open storage construction must be constructed of wood, metal, or other solid material. Entrance doors must be secured with a built-in, GSA- approved three-position combination lock. f. Access to vaults and vault-type rooms must be strictly controlled and based on an appropriate access authorization and an authorized need-to-know. Persons without need-to-know and the appropriate access authorization must be under escort at all times. Supplementary protective measures to mask classified matter must be employed prior to access by cleared persons without need-to-know or visitors. 2. VAULTS AND VAULT-TYPE ROOMS. The minimum standards required for construction of vaults and vault-type rooms other than modular vaults apply to all new construction, reconstruction, alterations, modifications, and repairs. a. Vault Construction. Wall, floor, and roof construction must comply with nationally recognized standards of structural practice, to Executive Order 12958, Presidential Directive on Safeguarding Classified National Security Information. The requirement for thickness must be determined by the requirement for forcible entry delay times for the safeguards and security interest stored within, but must not be less than the delay time provided by 8-inch-thick concrete poured in place, with a minimum 28-day compressive strength of 2,500 pounds per square inch (17,237 kilo-Pascal). As an alternative to minimum concrete thickness or structural criteria specified in the following sections, activated barriers may be used to reduce construction and achieve the same delay time. (1) Doors. For a vault not containing SNM, the type of door and frame complying with Class 5 Standards of Federal Specification AA-D-600B, "Door, Vault, Security," must provide the desired level of protection. (2) Floor and Walls. Walls must be extended to the underside of the roof and ceiling slab above. (3) Roof and/or Ceiling. The roof and/or ceiling must be a monolithic, reinforced concrete slab. (4) Hardware. Heavy-duty builder's hardware must be used in construction, securely fastened to preclude surreptitious removal and to ensure visual evidence of tampering. Hardware accessible from outside the area must be peened, pinned, brazed, or spot-welded to preclude removal. (5) Miscellaneous Openings. Any unattended openings that meet the intent of the unattended opening requirement of Chapter V, Paragraph 2a(5), must be equipped with intrusion detection, or barriers such as 9-11 American Wire Gauge wire mesh, 9-gauge expanded metal, or rigid steel bars at least one-half inch (1.3 centimeters) in diameter and welded vertically and horizontally 6 inches (15.24 centimeters) on center. The rigid steel bars must be securely fastened at both ends to preclude removal. Where wire mesh, expanded metal, or rigid metal bars are used, reasonable assurance must be provided that classified matter within the vault cannot be removed with the aid of any type of instrument. After installation, the annular space between the sleeve and the pipe or conduit must be filled with lead, wood, waterproof caulking, or similar material to give evidence of surreptitious removal. (6) SNM Vault. An SNM Vault must be a penetration-resistant, windowless enclosure that has (a) walls, floor, and ceiling substantially constructed of materials that afford forced penetration resistance at least equivalent to that of 8-inch-thick reinforcement concrete; (b) any openings greater than 96 square inches in area and over 6 inches in the smallest dimension protected by imbedded steel bars at least 5/8 inches in diameter on 6-inch centers both horizontally and vertically; (c) a built-in combination locked steel door that in existing structures is at least 1-inch thick, exclusive of bolt work and locking devices, and that for new structures at least meets the Class 5 standards set forth in Federal Specifications AA-D-600B. (7) Modular Vaults. A modular vault approved by the General Services Administration (GSA) may be used in lieu of a vault for the storage of classified matter. The modular vault must be equipped with a GSA-approved vault door and locks, and intrusion detection alarms as specified in Chapter XI, paragraph 4.b. of this manual. b. Vault-Type Room Construction. The standard for constructions meet the requirements of Annex A to Executive Order 12958, Presidential Directive on Safeguarding Classified National Security Information. The following minimum standards are required for all new construction, reconstruction, alterations, modifications, and repairs of existing areas. (1) Hardware. Heavy-duty builder's hardware must be used in construction, securely fastened to preclude surreptitious removal and to ensure visual evidence of tampering. Hardware accessible from outside the area must be peened, pinned, brazed, or spot-welded to preclude removal. (2) Floors and Walls. Construction materials must offer resistance to and evidence of unauthorized entry into the area. If insert-type panels are used, a method must be devised to prevent the removal of such panels without leaving visual evidence of tampering. (a) Should any of the outer walls be adjacent to space not controlled by DOE, the walls must be constructed of more substantial building materials, such as brick, concrete, corrugated metal, etc. (b) If visual access is a factor, area barrier walls must be opaque or translucent. (3) Windows. Those windows that open and are less than 18 feet (5.48 meters) from an access point (e.g., another window outside the area, roof, ledge, or door) must be fitted with �-inch (1.3-centimeter) bars that are separated by no more than 6 inches (15.24 centimeters), plus crossbars to prevent spreading, and/or18-gauge expanded metal, or wire mesh securely fastened on the inside. (a) If visual access is a security concern, the windows must be closed and locked and made to be translucent or opaque. (b) During non-working hours, the windows must be closed and securely fastened to preclude surreptitious entry. (4) Doors. Doors must be of wood or metal and of substantial construction. Windows, panels, or similar openings must be secured with 18-gauge expanded metal or wire mesh securely fastened on the inside. Wooden doors must be of solid core construction, 1.75 inches thick, or faced on the exterior side with at least 16-gauge sheet metal. (a) If visual access is a security concern, windows must be translucent or opaque. (b) When doors are used in pairs, an astragal must be installed where the doors meet. (c) When used, door louvers or baffle plates must be reinforced with 18-gauge expanded metal or wire mesh fastened inside the area. (5) Ceilings. (a) When wall barriers do not extend to the true ceiling and a false ceiling is created, the false ceiling must be reinforced with wire mesh or 18-gauge expanded metal to serve as a true ceiling, or ceiling tile clips must be secured. 1 Any wire mesh or expanded metal used must overlap the adjoining walls and be secured to show evidence of any tampering. 2 When ceiling tile clips are used, a minimum of four clips must be installed per tile. The clips must be installed from the interior of the area, and each clip must be mounted to preclude surreptitious entry. (b) In some instances, there may be a valid justification for not erecting a solid suspended ceiling as part of the area. For example, in areas where overhead cranes are used to move bulky equipment, the air conditioning system may be impeded by the construction of a solid suspended ceiling, or the height of the classified matter may make a suspended ceiling impractical. In such cases, special provisions, such as motion detection devices, must be used to ensure that the area cannot be entered surreptitiously by going over the top of the barrier walls. (6) Miscellaneous Openings. Miscellaneous openings must meet the requirements for vaults given in Chapter V, Paragraph 2a(6). (7) A vault-type room used for storage of SNM, Attractiveness Level B, must be provided enhanced protection [e.g., by collocating the room with the protective force response station and/or activated barrier(s)]. 3. VAULT-TYPE ROOM COMPLEX. The vault-type room complex barriers must meet the penetration resistance, intrusion detection, and access control requirements of a vault-type room. a. Vault-type room safeguards and security criteria may be extended to multiple rooms, including an entire building. Individuals must be authorized for access to all safeguards and security interests within the vault-type room complex before they are allowed to enter, unless supplementary protective measures are employed. b. The general requirements for a vault-type complex are listed below. (1) Barrier requirements apply to the outer walls, floor, and ceiling. (2) Outer walls must extend from true floor to true ceiling. (3) Interior walls may extend only to a false ceiling and/or raised floor. (4) Interior doors, windows, and openings may exist between different work areas. c. The requirement to detect unauthorized access may be accomplished through direct visual observation by an individual authorized in the area or through intrusion detection sensors. Detection of "inner wall" penetration or motion within the vault-type complex is not required. False ceilings and raised floors are permitted. d. Intrusion sensors associated with walls, floors, and ceilings that are not under constant visual surveillance but are associated with the vault-type room complex envelope must be activated and functioning correctly at all times. 4. INTRUSION DETECTION SYSTEMS. IDSs are required for vaults, for vault-type rooms, and in some instances for containers used to store classified safeguards and security matter. a. Vaults. Doors or openings allowing access into vaults must be equipped with IDS devices. A balanced magnetic switch, or other equally effective device, must be used on each door or movable opening to allow detection of attempted or actual unauthorized access. b. Vault-Type Rooms. IDSs for vault-type rooms must be capable of detecting penetration through floors, walls, ceilings, and openings, or movement within the facility envelope, consistent with that required to remove or compromise security interests within the vault-type room. (1) Where IDS sensors are used to detect facility envelope penetration, the openings discussed in Chapter V, Paragraph 2a(6) of this Manual, must be referenced for the minimum required detectable size of penetration. The only exception is on-grade, concrete floors that do not require detection. (2) Where IDS sensors are used to detect movement within the facility envelope, sensor coverage must be provided for credible pathways from the facility envelope to the matter being protected. Credible pathways must consider visual protection and must be documented. If the distance between the true floor (or ceiling) and the false floor (or ceiling) does not exceed 6 inches (15.24 centimeters), intrusion alarms are not required between the two floors (or ceilings). (3) In addition to detecting penetration of the facility envelope or movement in the room, a balanced magnetic switch or other equally effective device must be used on each door or movable opening to allow detection of attempted or actual unauthorized access. (4) For open storage of secret matter within a PA, two physically separated barriers contained within concentric security areas, with separate entry controlled portals are required. In addition, the material must be contained in a locked facility or storage container, be equipped with intrusion detection systems, and provide access control to the entrance to storage facility. Need- to-know requirements must be maintained. Response forces and patrols must be capable of meeting response requirements of Chapter III of this manual. Refer to Chapter II of this manual for physical protection requirements for SNM. c. Security Containers: Security containers not equipped with locks meeting Federal Specification FF-L-2740, must be stored in a locked room or facility equipped with intrusion detection equipment, and within the minimum protection of a DOE designated Limited Area, depending upon the classification of the material stored. In addition, the security containers must be under the protection of intrusion detection alarms. Under the protection of intrusion detection alarms means that the containers must be protected within the protection envelope of intrusion detection systems with the alarm detection on the surface of the security containers or steel filing cabinets, or the material being protected. 5. SECURITY CONTAINERS. The GSA establishes the national minimum standards and specifications for commercially manufactured security containers. Containers purchased after 7-14-94 must conform to the latest GSA standards and specifications. a. Security Container Requirements. (1) Test Certification Label. Security containers, cabinets, or repositories must bear a test certification label on the inside of the locking drawer or door and must be marked "General Services Administration-Approved Security Container" on the outside of the top drawer or door. (2) Maintenance. Maintenance information must be maintained for all containers. A history for each security container describing damage sustained and repairs accomplished must be recorded on Form 809 and retained for the life of the security container. (3) Transfer of Security Containers. When a security container is transferred from one organization to another, the custodian from the original organization must certify in writing that all classified matter has been removed prior to the transfer. Certification must be made to the organization's security office and must include the security container's make and property tag number (or other unique identifying numbers or markings), the custodian's name and organization, and the statement "All classified matter has been removed from this (these) security container(s) prior to transfer from my (transferring) organization to (receiving) organization." b. Damage and Repair of General Services Administration-Approved Security Containers. Only appropriately cleared or escorted safe technicians or locksmiths may neutralize lockouts or repair any damage that affects the integrity of a security container approved for the storage of classified information. (1) Requirements in FED-STD-809, Neutralization and Repair of GSA Approved Containers, must be met for neutralization and repair of GSA- approved containers and vault doors. (2) Physically modified containers are not considered approved by the GSA. CHAPTER XII PROTECTION ELEMENT: COMMUNICATIONS 1. GENERAL REQUIREMENTS. Communications equipment must be provided to facilitate reliable information exchanges between protective personnel. The communications equipment must meet the following requirements. a. Facilities protecting Category I and II, and roll-up to Category I or II quantities of SNM must have a minimum of two different voice communications technologies to link each fixed post, CAS, SAS, and protective force personnel dispatch point within the facility. b. Alternate communications capabilities must be available immediately upon failure of the primary system. Channels considered critical to protective personnel communications must have backup stations. Records of the failure and repair of all communications equipment must be maintained in a form suitable for compilation by type of failure, unit serial number, and equipment type. c. A continuous electronic recording system must be provided for all security radio traffic and telecommunications lines that provide support to CASs in the interest of national security. The logging recorder must be equipped with a time track and must cover all security channels. d. Systems must remain operable during the loss of primary electrical power. 2. COMMUNICATION SYSTEMS. Communication is the most vital function of a protection system and must be transferred through the network quickly and reliably. Protection system communications must support two vital functions: alarm communication/display and protective force communications. a. Alarm Communication and Display. An alarm communication and display system must transmit alarm signals from intrusion detection sensors and display the information to a security alarm station operator for action. To be acceptable, a system must include fast reporting time (real-time reporting as specified in the SAMACs document), supervision of all communication cables, easy and quick discovery of single-point failures, isolation and control of sensors, and expansion flexibility. (1) Security Design Considerations. The alarm display system must address the following: (a) information to be displayed, (b) how to present the information, (c) how the operator will communicate with the system, and (d) how to arrange the equipment at the operator work station. (2) Integration. The alarm communication and display system must be an integrated system of people, procedures, and equipment designed to address the specific needs and resources of the site. (3) Alarm Assessment. The sensors must be connected to the alarm communication system and displayed at a CAS. The CAS operator must have a means to communicate with the response force for alarm assessment. Normally, two-way radios are used for this communication although paging systems and telephone lines are acceptable alternatives. b. Protective and Response Force Communications. Protective force communications include the procedures and hardware that allow members to communicate with each other. The most common system consists of radios that can operate on low power, are battery operated, and can be hand-held. (1) Design Considerations. The design of a communication system for the protective and response force must address specific features, complexity, resistance to eavesdropping, vulnerability to transmission of deceptive messages, and susceptibility to jamming. (2) Special Response Requirements. Special response team members are required to use digitally encrypted radio and channels that are separate from the normal operations channels. (3) Alternate Means of Communication. Alternate means of communication must be in place, such as telephones, intercoms, public address systems, hand signals, sirens, lights, pagers, couriers, computer terminals, flares, duress alarms, smoke, or whistles. 3. DURESS SYSTEMS. Facilities protecting Category I and II, and roll-up to Category I or II quantities of SNM must have duress capabilities from mobile and fixed posts. The duress system must meet the following requirements. a. Activation of the duress alarm must be as unobtrusive as practicable. The duress alarm must annunciate at the CAS and SAS, but not at the post that initiates the alarm. b. The duress alarm for a CAS must annunciate at the SAS, while the duress alarm for the SAS must annunciate at the CAS. 4. RADIOS. Fixed post radios, mobile radios, and portable radios must be provided to support operational security requirements and the special response team-SPO III requirements. a. The radio system must be capable of accessing operational and support channels used for security. (1) These radios must have sufficient power and sensitivity for two-way communications with the facility base stations on the primary channel. (2) Security communication channels must be restricted to security operations. b. Portable radios must (1) be capable of two-way communication on the primary security channel from within critical buildings and structures and (2) provide an alternate means of communication, if safety or process procedures prohibit transmission within a building or structure. c. Mobile radios and base station radios must be capable of maintaining two-way communication with the CAS on the primary channel. d. Base station radios, which are controlled from the CAS, must include emergency response channels. e. Portable radios must contain sufficient battery capacity to operate for 8 hours at maximum expected duty cycle. Procedures for radio exchange, battery exchange, or battery recharge can be used to meet this requirement. f. Radio repeater station exterior walls must be windowless. Roofs may not have skylights or roof windows. 5. ANTENNA TOWERS, POLES, AND MASTS FOR COMMUNICATIONS SYSTEMS. a. Antennas or reflectors, transmission lines, and other equipment to be mounted on the antenna structures and the location, number, height, material, arrangement, and orientation of antenna structures must comply with DOE M 200.1-1, and be coordinated with the local TEMPEST coordinator. b. Design drawings and specifications must be used as guidance for the following: (1) typical antenna mast suitable for supporting various types of VHF or UHF antennas (drawing shows mounting details); (2) underground, hardened, and remotely controlled telescoping pushup antenna structures and facilities for high-frequency applications. c. Where radio repeater antenna towers, poles, or masts are located away from the building, interconnecting cables must be placed underground or adequately supported by a messenger wire (or cable). The building end of the messenger wire must not be secured to the bulkhead panel unless the panel and appurtenances are designed to support the load. 6. SPECIAL RESPONSE TEAM RADIO COMMUNICATIONS. Special response team radio communications equipment must be capable of transmitting routine and emergency information. Equipment must meet all requirements of the radio system for the rest of the facility, except that the special response team two-way radios must be equipped with digital encryption that meets the requirements of DOE M 200.1-1, TELECOMMUNICATIONS SECURITY MANUAL. Special response team radio equipment must use channels separate from the normal operational channels. 7. TELEPHONE SYSTEMS. Basic underlying protection measures must be in place to prevent the compromise of classified or unclassified sensitive discussions in the vicinity of telephone instruments. a. Telephone Security Group (TSG) Standards must be used as the primary technical and policy resource for DOE for all aspects of telephone systems used in areas where classified information is discussed. See the TSG program manager for more information. b. On-hook security must be provided to all telephone instruments in areas where classified or sensitive government information is discussed as described in TSG 1, Introduction to Telephone Security, and in accordance with one of the following. (1) All telephone switches and specific TSG-approved telephone instruments must incorporate security features. These telephone instruments (listed below) must be part of the TSG type-accepted program and have been accepted for connection to telephone systems that in themselves have no inherent security features: (a) TSG 3, type-accepted program for telephones used with the conventional Central Office Interface; (b) TSG 4, type-accepted program for electronic telephones used with computerized telephone systems; (c) TSG 5, on-hook audio security performance specifications for any other telephone instruments or telephone systems. (2) Telephone instruments must be isolated from uncontrolled lines by means of approved disconnect devices, as outlined in TSG 6. (3) Implementation of TSG standards neither prevents the application of more stringent requirements nor satisfies the requirements of other security programs under the provisions of DOE M 200.1-1, TELECOMMUNICATIONS SECURITY MANUAL. CHAPTER XIII PROTECTION ELEMENT: MAINTENANCE 1. GENERAL REQUIREMENTS. Security-related subsystems and components must be maintained in operable condition. General policy and objectives are provided in DOE O 430.1, Life-cycle Asset Management. A regularly scheduled testing and maintenance program must be established. 2. CORRECTIVE MAINTENANCE. Corrective maintenance must be performed on site- determined essential and non-essential physical protection system elements. a. Corrective maintenance must be initiated within 24 hours of the indication that a malfunction of site-determined essential system elements has occurred for systems protecting Category I quantities of SNM, and roll-up to Category I quantities of SNM and Top Secret matter. b. Compensatory measures must be implemented immediately when any part of the essential system element protecting Category I quantities of SNM, and roll-up to Category I quantities of SNM and Top Secret matter is out of service. Compensatory measures must be continued until maintenance is complete and the essential system element is back in service. c. Corrective maintenance must be initiated within 72 hours of detection of malfunction for all other protection system elements protecting Category I and II SNM and Top Secret matter. Corrective maintenance for these other assets must be determined by the local safeguards and security approving authority. d. Protection system elements protecting Category III and IV quantities of SNM and Secret and Confidential matter must be initiated as prescribed in plant operation procedures for corrective maintenance. Compensatory measures must be applied to maintain the minimum protection requirements of Chapters II and III of this Manual. 3. PREVENTIVE MAINTENANCE. Preventive maintenance is required on critical safeguards and security-related subsystems and components. Preventive maintenance must comply at a minimum with manufacturer's specifications and recommendations. The following system elements must be included in a preventive maintenance program: a. intrusion detection and assessment systems, b. CAS and SAS communications and display systems, c. data and voice communications, d. protective force equipment, e. personnel access control and entry inspection equipment, f. package and matter inspection equipment, g. vehicle inspection equipment, h. security lighting, and i. security system-related emergency power or auxiliary power supplies. 4. MAINTENANCE PERSONNEL ACCESS AUTHORIZATION. Personnel who test, maintain, or service critical systems must have access authorizations consistent with the category of SNM and/or classified matter being protected, unless such testing and maintenance are performed as bench services away from the security area or are under the supervision of an appropriately cleared custodian knowledgeable of the system and/or critical component. Systems or critical components bench-tested or maintained away from a security area by personnel without the appropriate access authorization must be inspected and operationally tested by qualified and cleared personnel prior to being put into service. 5. RECORD KEEPING. Testing records must be retained in accordance with the requirements of records management procedures. CHAPTER XIV PROTECTION ELEMENT: POSTING NOTICES 1. GENERAL REQUIREMENTS. Signs must be posted at facilities, installations, and real property based upon the need to implement Federal statutes protecting against espionage, sabotage, or degradation of safeguards and security interests. a. Signs listing prohibited articles, as stated in Chapter V, Paragraph 1f of this Manual, must be posted at entrances to security areas. b. Warning signs and/or notices must be posted at entrances to areas under protection advising that physical protection surveillance equipment is operational. 2. TRESPASSING. DOE property must be posted according to statutes, regulations, and the administrative requirements for posting specified in this Manual. a. Statutory and Regulatory Provisions. (1) Section 229 of the Atomic Energy Act of 1954, as amended, and as implemented by Title 10 CFR Part 860, prohibits unauthorized entry and unauthorized carrying, transporting, or otherwise introducing or causing to be introduced any dangerous weapon, explosives, or other dangerous instrument or matter likely to produce substantial injury to persons or damage to property into or upon any facility, installation, or real property subject to the jurisdiction, administration, or in the custody of DOE. The statute provides for posting regulations and penalties for violations. (2) Section 662 of the Department of Energy Organization Act, as implemented by Title 10 CFR Part 1048, prohibits unauthorized entry upon and unauthorized carrying, transporting, or otherwise introducing or causing to be introduced, any dangerous instrument or material likely to produce substantial injury or damage to persons or property into or onto the Strategic Petroleum Reserve, its storage or related facilities, or real property subject to the jurisdiction, administration, or custody of DOE. The statute provides for posting regulations and penalties for violations. (3) Title 41 CFR Part 101-19.3 provides rules and regulations governing entry to public buildings and grounds under the charge and control of GSA. b. Posting Proposals. Requirements for the administration of posting proposals are as follows. (1) Conditions. Proposals for the posting of facilities, installations, or real property, or amendment to or revocation of a previous proposal, must be submitted when the following occurs. (a) The property is owned by or contracted to the United States for DOE use. (b) The property requires protection under Section 229, Atomic Energy Act of 1954, as amended, and/or Section 662 of the Department of Energy Organization Act. (c) A previous notice needs to be amended or revoked. (2) Contents. (a) Each posting proposal must contain the name and specific location of the installation, facility, or real property to be covered and the boundary coordinates. If boundary coordinates are not available, the proposal must furnish reasonable notice of the area to be covered, which may be an entire area or any portion thereof that can be physically delineated by the posting indicated in Paragraph 2c below. (b) Each proposal for amendment or revocation must identify the property involved, state clearly the action to be taken (i.e., change in property description, correction, or revocation), and contain a new or revised property description, if required. c. Posting Requirements. (1) Upon approval by the Director of Security Affairs, a notice designating the facility, installation, or real property must be published in the Federal Register; the notice is effective upon such publication, providing the notices stating the pertinent prohibitions and penalties are posted. (2) Property approved by the Director of Security Affairs for coverage under Section 229, Atomic Energy Act of 1954, as amended, must be posted at entrances and at such intervals along the perimeter of the property to provide reasonable assurance of notice to persons who enter therein. Signs must measure at least 11 inches by 14 inches (28 by 36 centimeters). d. Notification to the Federal Bureau of Investigation. Notification of the date of posting, relocation or removal of posting, or other change, and the identity of the property involved must be furnished promptly to the applicable office of the Federal Bureau of Investigation exercising investigative responsibility over the property. CHAPTER XV PROTECTION ELEMENT: SECURITY BADGE PROGRAM 1. GENERAL REQUIREMENTS. The DOE security badge is the Office of Safeguards and Security's approved security badge for access to all DOE facilities. The DOE security badge shall be issued to all Federal and non-Federal personnel and worn in plain view on the upper body during access to DOE facilities. a. Specifications for the badge are set forth in the DOE Badge Program document, published by the Office of Safeguards and Security. b. This DOE Badge Program provides the format for (1) uniform placement of required features such as organization identification, serial number, magnetic stripe, and photograph; (2) designated indicators for access authorizations; and (3) other features. c. The issuing authority's cognizant DOE security office must approve the local DOE security badge procedures, including approval of the badges. By approving the badge, the issuing authority ensures that the badges meet the design requirements provided in the DOE Badge Program Document. Any design parameters that are not met and cause the DOE employee and DOE contractor badges to be unacceptable for access to other DOE sites must be resolved between the issuing authority and the site where access is being denied. d. The issuing authority is responsible for educating badge holders on the proper use and responsibilities associated with DOE security badges. e. The cognizant DOE security office may exclude property protection areas from the requirement that personnel wear their security badges if the areas are not used exclusively for DOE interests and public access is invited, or when the areas are within the public domain, as on a college campus. In addition, the cognizant DOE security office may exempt DOE and DOE contractor facilities and operations involving access of fewer than 30 people in accordance with Paragraph 3d below. f. The issuing authority must approve procedures for recovering security badges, which must be carefully followed at each site. DOE badges must be returned to the cognizant DOE security office or otherwise recovered in the following situations: (1) Federal employees leave employment or are transferred; (2) DOE contractor or subcontractor personnel are either transferred or their contracts terminate or expire. 2. SECURITY BADGES. DOE badge categories are as follow. a. DOE Employee and DOE Contractor Employee Badges. These are the permanent DOE security badges that must be issued to Federal and non-Federal employees for access to sites throughout the DOE complex. (1) Only one permanent DOE badge may be issued to each employee. (2) The information for that badge holder must be entered into the Visitor Access Database (VADB), except for local site-specific badges as defined in "2d" below. The VADB is used to determine access privileges when the badge holder is visiting other DOE sites. (3) These badges must be issued by the organization/badging authority reporting to the DOE element holding the personnel clearance file. If the employee does not possess an active personnel security file, the badge must be issued by the employee's home site. b. Local Site-Specific Only (LSSO) Badges. The term LSSO applies to all non-standard DOE security badges. (1) LSSO badges include visitor badges, provisional badges, foreign national (FN) badges, and other site-specific badges designed and implemented to meet local requirements. (2) The cognizant local DOE authority for safeguards and security must prescribe procedures for the design, issuance, use, and return of LSSO badges. (a) The issuing authority must instruct the recipient that LSSO badges may only be used at the issuing site, as well as any other site limitations that may apply. (b) Sites may not grant admission to anyone using an LSSO badge issued by another site. (c) LSSO badges may be honored for access only at the site where they were issued. (d) LSSO badges issued by other than the local DOE safeguards and security authority and used in an attempt to gain access must be confiscated. However, LSSO badges may be used as photo identification in order to obtain an authorized locally issued badge and will not be confiscated in that situation. (e) The LSSO badge may or may not contain the individual's photograph. (3) DOE badge specifications allow LSSO provisional and visitor badges to follow the color coding for access authorization and be usable in the site automated access controls system. However, LSSO provisional and visitor badges must be distinctive in other ways to prevent their use at sites other than the sites where the badges were issued. c. Visitor and Temporary Badges. A procedure for the issuance of visitor and temporary badges must be implemented locally. The visited site must issue an LSSO badge for the on-site visit of authorized personnel who have not been provided a DOE security badge as described in the DOE Badge Program Document, Volume I. (1) An LSSO badge may be issued to visitors, such as military and other Federal agency personnel who require long-term access to DOE facilities but do not occupy full-time DOE positions. These visitors may be issued an LSSO badge if they possess a "Q" or "L" DOE access authorization or a "TS" or "S" clearance granted by a Federal agency other than DOE. This category includes (a) DOE contractors, local military, and other Federal personnel who are given site-specific access but whose duties do not require them to access other DOE facilities or Restricted Data and/or (b) those personnel awaiting DOE "Q" or "L" access authorization. (2) Personnel who are issued DOE LSSO security badges may not use their badges to enter any DOE facility other than the one where the badge was issued. (3) Visitors and military or other Federal agency personnel not provided with a permanent DOE security badge must follow the visitation procedures of the site to be visited as approved by the visited site's local DOE safeguards and security approving authority. (4) Visitors who hold an LSSO badge from another site and who request access to limited areas, exclusion areas, protected areas, and material access areas or classified information including sigmas must submit DOE F 5631.20, "Request for Visit or Access Approval," as indicated in DOE O 470.1, SAFEGUARDS AND SECURITY PROGRAM. (a) The request must be submitted by the individual's DOE sponsor if he/she travels in DOE's interest or by the individual's parent employer if he/she travels in the employer's interest. (b) Visit requests must be sent directly from visiting individuals' security officers to security officers at the sites to be visited. d. Provisional Badges. Provisional or temporary badges may be issued to DOE and contractor employees under the locally developed procedures as a temporary measure when badges are lost, forgotten, or stolen. Provisional or temporary badges may be designed without the use of the DOE standard badge colors to indicate clearance, and without the name and photograph. Provisional badges must clearly indicate the temporary nature of the badge. e. Foreign National Badges. Badges issued to FNS must be as follows. (1) Cleared Foreign National DOE Employees and DOE Contractor Employees. Cleared FNS must be issued a DOE security badge. The only difference between the cleared foreign national badge and the DOE standard badge is that the individual's country of citizenship must be displayed. The DOE security badge issued to the cleared FN must be issued by the organization/badging authority reporting to the DOE element holding the personnel clearance file. Cleared FNS must adhere to the requirements in DOE N 142.1, Unclassified Foreign Visits and Assignments, or the Classified Visit portion of the Safeguards and Security Program (DOE O 470.1) when visiting other DOE facilities. (2) Uncleared Foreign Nationals. This badge must be issued to uncleared employees who are not citizens of the United States, and whose duties require routine or regular access to DOE facilities in performance of their official duties. FNs who do not possess active personnel security files must be issued an LSSO badge by the employee's home site. These badges issued to uncleared foreign national employees must be red in color. (Note: The color red is reserved exclusively for uncleared foreign national badges. This color must not be used for any other type of LSSO badge.) f. Other Site-Specific Badges. LSSO badges may be developed and issued to address a variety of issues to meet site-specific requirements. These badges need not meet the standard DOE badge design given in the DOE Badge Program Document, but they cannot follow the color schemes used for DOE employee badges, contractor employee badges, or uncleared foreign nationals badges. 3. ISSUANCE, USE, RECOVERY, AND DESTRUCTION OF SECURITY BADGES. The requirements that apply to the issuance, use, recovery, and destruction of security badges are as follows. a. Issuance of Security Badges. Security badges that meet the requirements in the DOE Badge Program Document must be issued to all DOE employees and contractor employees who have been granted DOE access authorizations (see DOE O 472.1B). These badges must be used and accepted at other DOE sites and facilities. b. Site Usage. Appropriately-coded security badges must be used and accepted as evidence of an access authorization (or security clearance) and must be accepted for admittance to limited areas without need for additional badging. (1) Verification of an individual's DOE access authorization level and determination of "need-to-know" remain the responsibility of the individual or organization being visited prior to granting access to SNM or classified information. (2) The information on the magnetic stripe must not be used for any purpose other than access control. The information on the magnetic stripe must not be collected and stored outside of DOE access control applications. c. Individual Requirements. The individual receiving the DOE security badge is responsible for (1) protecting security badges against loss, theft, or misuse and reporting a lost, stolen, or misused badge to the cognizant security office within 24 hours of discovery; (2) maintaining the badge in good condition and protecting its integrity by ensuring that the badge is not altered, photocopied, counterfeited, reproduced, or photographed; (3) returning the security badge to the local safeguards and security authority when it is no longer valid or required; or (4) returning the security badge when requested by the supervisor, safeguards and security office, or protective force personnel; (5) wearing the badge conspicuously, photo side out, in a location above the waist and on the front of the body while having access to DOE facilities (this requirement may be nullified for health or safety reasons); (6) ensuring that badges are not used as a means of identification outside of DOE facilities or other Government facilities. d. 30-Person or Less Operation. (1) DOE security badges must be used at DOE and DOE contractor facilities and operations involving access of 30 or more people to safeguards and security interests and/or security areas. (2) Less-than-30-person operations may be excluded from the security badge requirement only when the nature of activities and involvements permits adherence to a personal recognition system that provides similarly high levels of assurance that unauthorized persons will not be allowed access to security areas, facilities, classified matter, or other security interests. e. Recovery of Security Badges. DOE security badges are the property of the Government and must be returned to the issuing office whenever an individual has terminated employment, is transferred (including transfer of contractor between contracts and when changing employment with contractors at the same site), or otherwise no longer requires the badge. (1) Individuals who no longer have a valid requirement for access to DOE facilities must surrender their badges to the local DOE issuing office. (2) Badges issued to employees, contractors, and other individuals must be recovered at the final security checkpoint or earlier, and the individual(s) must be escorted from the site if circumstances or conditions indicate such action is needed. Recovered security badges must be destroyed. (3) If a terminated employee's security badge is not recovered, the badge is to be treated as a lost or stolen badge and reported to the issuing office to prevent misuse of the badge. f. The badge may be recovered and reissued, with a new photograph, if the individual's appearance has changed significantly. g. Security badges that are no longer needed must be destroyed so that the badge cannot be reconstructed. If destruction is not immediate, badges must be stored in a secure manner until they can be destroyed. Provisional and visitor's badges that do not include individuals' photos must be recovered and may be reissued. 4. ACCOUNTABILITY OF BADGES. Records must be maintained by issuing offices showing the disposition of security badges. Such records must include, as a minimum, description and serial number of item issued, date of issuance, and name, organization, and date of destruction. a. Records. Records must be maintained in accordance with the requirements of the records management program. b. Lost Badges. A record of missing security badges must be maintained. Personnel and/or systems controlling access to security areas must be provided current information regarding missing badges in order to prevent security badge misuse. The loss or recovery of badges must be reported immediately to the issuing office. 5. PROTECTION OF SECURITY BADGE MATERIALS AND EQUIPMENT. Stocks of badging materials, unissued security badges, and badge-making and processing equipment must be stored to protect against loss, theft, or unauthorized use. All personnel with access to badge materials and badge-making equipment must have access authorizations or clearances to the highest level of security badges that would be required because of materials present. 6. BADGE VALIDATION. Protective personnel at access control portals must validate the security badge at all DOE facilities by touching all DOE security badges, including pedestrians or those inside vehicles, and ensuring that the badge photo matches the presenter's face and that the badge has not been altered. This standardized procedure applies at all portals where protective personnel validate the identity of the badge holder. Badge validation by protective personnel is not required at access control portals that rely on automated access control systems for entry into DOE facilities; however, other methods of validation may be required as specified in Chapter IX. APPENDICES CONTRACTOR REQUIREMENTS DOCUMENT DOE M 473.1-1, PHYSICAL PROTECTION PROGRAM MANUAL This Contractor Requirements Document (CRD) is issued to aid in the identification of requirements applicable to contractors, as stated in Paragraph 5 of the CRD attached to DOE O 473.1, PHYSICAL PROTECTION PROGRAM. All requirements contained in DOE M 473.1-1 apply to contractors with responsibilities for operating and administering the Department's physical protection program and/or for protecting safeguards and security interests. The requirements in this Manual must flow down to all subcontractors who have responsibilities for operation, administering, and/or protecting DOE safeguards and security interests. REFERENCES 1. Nuclear Waste Policy Act of 1982, Public Law 97-425, as amended. 2. Title 42 U.S.C. 7270b, Trespass on Strategic Petroleum Reserve Facilities, which a. authorizes issuance of regulations concerning unauthorized entry into or upon the Strategic Petroleum Reserve, its storage or related facilities, or real property subject to the jurisdiction, administration, or in the custody of the Secretary of Energy under Part B of Title I of the Energy Policy and Conservation Act (42 U.S.C. 6231-6247); and b. prohibits carrying, transporting, or otherwise introducing or causing to be introduced any dangerous weapon, explosives, or other dangerous instrument or material likely to produce substantial injury or damage to persons or property into or upon such property; and c. provides that any person who willfully violates regulations issued under 42 U.S.C. 7270b is guilty of a misdemeanor and must be punished upon conviction by a fine of not more than $5,000, imprisonment of not more than 1 year, or both. 3. Title 42 U.S.C. 2011, et seq. (Atomic Energy Act of 1954, as amended): a. Chapter 23, Subchapter XI, Control of Information, Sections 2162 2167, inclusive, which set forth the principles for the control of Restricted Data; b. Chapter 23, Subchapter XVII, Enforcement, Sections 2274 2277, which set forth the authority necessary to protect Restricted Data and property and establishes criminal penalties for violation of provisions of the Atomic Energy Act; c. Chapter 23, Subchapter XVII, Enforcement, Section 2278a, which sets forth the authority to issue regulations and establish penalties for violating these regulations relating to the entry upon or carrying, transporting, or otherwise introducing or causing to be introduced any dangerous weapon, explosives, or other dangerous instrument or material likely to produce substantial injury or damage to persons or property, into or upon any facility, installation, or real property of the DOE or the NRC. 4. Title 10 CFR 73.37, Requirements for Physical Protection of Irradiated Reactor Fuel in Transit, which identifies procedures for protecting licensee shipments of irradiated reactor fuel. Appendix D establishes training requirements for escorts of licensee shipments. Appendix E establishes levels of physical protection to be applied to international shipments. 5. Title 10 CFR Part 710, Criteria and Procedures for Determining Eligibility for Access to Classified Matter or Special Nuclear Material, which establishes policies on personnel security clearances. 6. Title 10 CFR Part 860, Trespassing on Department of Energy Property, which is issued for the protection and security of facilities, installations, and real property subject to the jurisdiction or administration of, or in the custody of, DOE. 7. Title 10 CFR Part 1048, Trespassing on Strategic Petroleum Reserve Facilities and Other Property, which is issued for the protection and security of (a) the Strategic Petroleum Reserve, its storage or related facilities, and real property subject to the jurisdiction or administration or in the custody of DOE under Part B, Title I of the Energy Policy and Conservation Act, as amended (42 U.S.C. 6231-6247); and (b) persons upon the Strategic Petroleum Reserve or other property subject to DOE jurisdiction under Part B, Title I of the Energy Policy and Conservation Act. 8. Title 41 CFR Chapter 101, Federal Property Management Regulations, which sets forth introductory material concerning the Federal Property Management Regulations System; its content; types; publications, including federal specifications and standards; authority; applicability; numbering; deviation procedures; as well as agency consultation, implementation, and supplementation. 9. Title 48 CFR Section 952.204-2, Security Requirements, which provides clauses to be included in contracts that involve or are likely to involve classified information, and Section 952.245-2, Government property (fixed-price contracts), which includes clauses to be inserted in all contracts and modifications to contracts involving Government property. 10. Title 49 CFR, Chapter I, Research and Special Programs Administration, Department of Transportation, Subchapter C, Hazardous Materials Regulations, which identifies Federal rules for packaging and transporting hazardous materials, hazardous substances, and hazardous wastes, and Section 173.22, "Shipper's Responsibility," which describes physical protection requirements for the shipment of unclassified irradiated reactor fuel. 11. Executive Order 12829, National Industrial Security Program, of 1-6-93, which establishes a single, integrated, cohesive industrial security program to protect classified information and to preserve the Nation's economic and technological interests. 12. Executive Order 12958, Classified National Security Information, dated 4-17-95, which provides requirements concerning classification of information. 13. DOE O 151.1, Comprehensive Emergency Management System, dated 9-25-95, which identifies overall policy and requirements for an emergency management system. Specifically, Chapter IV, Operational Emergency Hazardous Material Program, and Chapter V, Operational Emergency Events and Conditions, establish requirements for site-specific emergency plans and procedures for radiological emergencies (including malevolent threats or acts) occurring in DOE reactor and non-reactor nuclear facilities. 14. DOE O 200.1, Information Management Program, dated 9-30-96, which ensures DOE missions and goals, information, information resources, and information technology investment decisions will be made based on programmatic need. DOE M 200.1-1, Telecommunications Security Manual, provides for approved methods of transmitting Communications Security (COMSEC) material and COMSEC keying material. 15. DOE O 232.1A, Occurrence Reporting and Processing of Operations Information, dated 7- 21-97, which establishes a system for reporting operation information related to facilities and processing that information to provide for the appropriate corrective action. 16. DOE O 430.1A, Life Cycle Asset Management, dated 10-14-98, which establishes DOE policies and procedures for planning the development and use of sites and facilities, provides general policy and objectives for the management and performance of cost-effective maintenance and repair of property, and provides design criteria for use in the acquisition of the Department's facilities. 17. DOE O 452.1A, Nuclear Explosive and Weapons Surety Program, dated 01-17-97, which establishes DOE nuclear surety objectives. 18. DOE O 452.2, Safety of Nuclear Explosive Operations, dated 01-17-97, which establishes the responsibilities for nuclear safety, security, and control. 19. DOE O 460.1A, Packaging And Transportation Safety, dated 10-2-96, which establishes policies and procedures for approval of package designs for radioactive materials. 20. DOE O 460.2, Departmental Materials Transportation and Packaging Management, dated 9- 27-95, which establishes policies and procedures for materials transportation and packaging operations. 21. DOE O 470.1, Safeguards and Security Program, dated 9-28-95, which provides policies for the safeguards and security program; specifically paragraph f, which establishes the deviation program. a. Chapter I, Safeguards And Security Program Planning, which establishes a standard approach to protection program planning. b. Chapter III, Performance Assurance Program, which establishes a systematic process for demonstrating the adequacy and functional reliability of critical system elements. c. Chapter V, Facility Clearances And Registration of Safeguards And Security Activities, which establishes DOE requirements for on-site security and/or nuclear materials surveys of facilities with safeguards and security interests. d. Chapter VIII, Control of Classified Visits Program, which establishes standards and procedures for controlling visitors to DOE and DOE contractor, subcontractor, and access permitted facilities. 22. DOE O 471.2A, Information Security Program, dated 3-27-97, which establishes the policies, procedures, and responsibilities for the protection and control of classified and sensitive information, specifically Chapter III, Classified Information Systems Security, which establishes requirements, policies, and responsibilities for the development and implementation of a DOE program to ensure the security of information stored in classified computer systems. 23. DOE M 471.2-1B, Classified Matter Protection and Control MANUAL, dated 1-6-99, Chapter III, PHYSICAL PROTECTION, which establishes the physical requirements for the protection of classified matter. 24. DOE O 472.1B, Personnel Security Activities, dated 3-24-97, which establishes the policy, responsibilities, and authorities for implementing the DOE Personnel Security Program. 25. DOE O 474.1, Control And Accountability of Nuclear Materials, dated 8-11-99, which prescribes DOE policies and responsibilities for control and accountability of nuclear materials. 26. DOE M 474.1-1, Manual For Control And Accountability of Nuclear Materials, dated 8-11- 99, which implements DOE O 474.1 in that it prescribes the DOE requirements and procedures for nuclear material control and accountability. 27. DOE 1240.2B, Unclassified Visits and Assignments by Foreign Nationals, dated 8-21-92, which establishes authorities, responsibilities, and policy, and prescribes administrative procedures for visits and assignments by foreign nationals to DOE facilities. 28. DOE 1450.4, Consensual Listening-in to or Recording Telephone/ Radio Conversations, dated 11-12-92, which specifies the DOE policy regarding the consensual listening-in to or recording of conversations on radio and telephone systems. 29. DOE 5632.7A, Protective Force Program, dated 4-13-94, which prescribes DOE policies and responsibilities for the protective force charged with the protection of safeguards and security interests. 30. "Access Delay, Technology Transfer Manual," SAND 87-1926/UC-515, Sandia National Laboratories, dated 9-89, which defines the role of barriers in a physical protection program, provides a source for penetration times for barriers, and defines methods for upgrading existing barriers. 31. "Alarm Communication and Display Technology Transfer Manual," SAND 90-0729/ UC-515, Sandia National Laboratories, dated 5-17-90, which provides a description of the hardware and techniques required to implement an alarm communication and display system. 32. American Nuclear Standard Institute (ANSI) X3.92-1981 (R 1998), Data Encryption Algorithm, also known as FIPS 46.1. 33. ASTM E413-87(1999), "Standard Classification for Rating Sound Insulation." This classification provides methods of calculating single-number acoustical ratings for laboratory and field measurements of sound transmission obtained in one-third octave bands. The method may be applied to laboratory or field measurements of the sound transmission loss of a partition in which case the single-number ratings are called sound transmission class (STC) or field sound transmission class (FSTC), respectively. 34. ASTM F792-88 (1993)el, "Standard Practice for Design and Use of Ionizing Radiation Equipment for the Detection of Items Prohibited in Controlled Access Areas," which covers the use of ionizing radiation imaging techniques for the detection of questionable items, such as weapons and devices intended to trigger explosives, in order to determine their presence in hand-carried baggage, packages, checked or unaccompanied luggage, cargo, or mail at screening points for controlling access to secure areas. 35. CGSS-3, Classification Guide for Safeguards and Security Information, of 8-1-94, Office of Classification and Technology Policy, which provides classification determinations for National Security Information (NSI) concerning nuclear safeguards and various aspects of security and guidance for classifying documents and materials containing NSI, Formerly Restricted Data, and/or Restricted Data. 36. "Design Basis Threat for the Department of Energy Programs and Facilities (U)" of February 1999, issued by the Director of Security Affairs, which identifies and characterizes the range of potential adversary threats to the Department's programs and facilities, which could adversely affect national security, the health and safety of employees or the public, the environment, or DOE safeguards and security interests. 37. DCID 1/21, "Physical Security Standards for Sensitive Compartmented Information Facilities," dated 1-30-94, which provides standards for the protection of classified information requiring extraordinary security safeguards. 38. DCID 1/22, "Technical Surveillance Countermeasures," dated 7-3-85, which establishes the policy and procedures for the conduct and coordination of technical surveillance countermeasures. 39. "Entry Control Systems, Technology Transfer Manual," SAND 87-1927, Sandia National Laboratories, of 12-8-88, which compiles information regarding entry control systems and their application to physical protection programs. 40. "Exterior Intrusion Detection Systems Technology Transfer Manual," SAND 89-1923/UC- 515, Sandia National Laboratories, of 2-28-90, which discusses each class of detection systems and how to select the proper sensors and how to combine them into an effective perimeter subsystem. 41. Federal Specification W-A-450-C, "Alarm Systems Protective, Interior," which provides specifications for interior alarm systems. 42. Federal Specification AA-D-600B, "Door, Vault, Security," which provides specifications for vault doors. 43. Federal Specification AA-V-2737, "Modular Vault Systems," which describes a relocatable system for storing classified matter that provides a minimum of 15 minutes of protection against a multilevel tool attack, including torches, portable electric drills, power saws, hydraulic jacks, and other tools. 44. Federal Specification FF-L-2740, "Locks, Combination," which covers changeable combination locks designed to be mounted on safes, security files, vault doors, and similar items. 45. Federal Specification FF-P-2827, "Padlock, Key Operated, General Field Service," which describes two sizes of "U"-shaped shackle, key-operated, heavy-duty commercial padlocks. 46. Institute of Electrical and Electronic Engineers (IEEE) C37.91-1985 (R1990) "IEEE Guide for Protective Relay Applications to Power Transformers (ANSI)." 47. "Protecting Security Communications, Technology Transfer Manual," SAND 90-0397/UC- 515, Sandia National Laboratories, dated 1-90, which discusses the functions of a security communications network, its susceptibility to disruption, and the means by which security radio communications may be protected. 48. Safeguards and Security Glossary of Terms, Office of Safeguards and Security, of 12-18-95, which contains standardized definitions of terms used in the Safeguards and Security Program. 49. Underwriters Laboratories (UL) Standard 365-1994, "Standard for Safety for Police Station Connected Burglar Alarm Units and Systems," which states requirements covering construction, performance, and maintenance of police station connected burglar alarm units and systems. 50. UL Standard 752-1997, "Standard for Safety for Bullet-Resisting Equipment," which provides a standard for bullet-resisting equipment. 51. U.S. Department of Energy Security Container and Locking Device Guide, dated 10-93, which contains information on locks and security storage devices. 52. Video Assessment Technology Transfer Manual, SAND 89-1924/UC-515, Sandia National Laboratories, dated 8-21-89, which compiles information regarding video assessment systems used in physical protection programs. 53. Volume 50 FR 46452, "Federal Radiological Emergency Response Plan," dated 11-8-85, which describes Federal agency responsibilities during peacetime radiological emergencies including those in transportation.